216.73.217.172

CVE-2025-34322

· Published 17/11/2025 18:15 · Modified 26/11/2025 15:15

Labels: CVE-2025-34322 2025-11-17CVE-2025-34322CWE-78[email protected]

Essential information

Published
17/11/2025 18:15
Modified
26/11/2025 15:15
Author
Creator
CVSS
8.6 HIGH (v3) 8.6 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability in the experimental 'Natural Language Queries' feature. When this feature is configured, certain user-controlled settings—including model selection and connection parameters—are read from the global configuration and concatenated into a shell command that is executed via shell_exec() without proper input handling or command-line argument sanitation. An authenticated user with access to the 'Global Settings' page can supply crafted values in these fields to inject additional shell commands, resulting in arbitrary command execution as the 'www-data' user and compromise of the Log Server host.

NVD status

Status
Modified — CVE has been amended by a source (CVE Primary CNA or another CNA). Analysis data supplied by the NVD may be no longer be accurate due to these changes.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
nagios / log server cpe:2.3:a:nagios:log_server:*:*:*:*:*:*:*:*
nagios / log server cpe:2.3:a:nagios:log_server:2026:r1:*:*:*:*:*:*

References