Volerion logoVolerion
Volerion logoVolerion

Nagios Log Server Command Injection Vulnerability in Natural Language Queries

Vulnerability

A command injection vulnerability has been identified in Nagios Log Server versions prior to 2026R1.0.1. This vulnerability allows authenticated users with access to global configuration to execute arbitrary operating system commands. The issue arises from the experimental 'Natural Language Queries' feature, where configuration values are read from application settings and incorporated into system commands without proper validation or restriction of special characters. As a result, commands can be executed with the privileges of the web server account, potentially compromising the Log Server host.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of commands on the operating system, with the same privileges as the web server account. This could allow an attacker to compromise the host running Nagios Log Server.

Remediation

Users are advised to upgrade to Nagios Log Server version 2026R1.0.1 or later.

Added: Nov 17, 2025, 6:28 PM
Updated: Nov 17, 2025, 6:28 PM

Vulnerability Rating

Custom Algorithm
spread
1.9
impact
10.0
exploitability
4.8
remediation
7.7
relevance
1.1
threat
0.0
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.