Nagios XI SQL Injection Vulnerability in Dashboard Parameters

A SQL injection vulnerability has been identified in Nagios XI version 2026R1.0.1 build 1762361101. This issue arises because dashboard parameters do not undergo proper filtering, allowing authenticated users to manipulate SQL queries. The vulnerability is present in the file '/usr/local/nagiosxi/html/api/v2/endpoints/dashboards_v2/index.php', specifically within the 'get()' function, where the 'id' parameter can be exploited.

Impact

Exploitation of this vulnerability allows for SQL injection, which could lead to unauthorized data access or manipulation in the database. Additionally, according to the vulnerability disclosure, this SQL injection could be leveraged for remote code execution.

Reproduction

To reproduce this vulnerability, send a GET request to '/nagiosxi/api/v2/dashboards_v2' with a crafted 'id' parameter that includes SQL injection payloads. The lack of proper input validation will allow the injected SQL to be executed, exploiting the vulnerability.