CVE-2025-34322
BaseFortify
Publication date: 2025-11-17
Last updated on: 2025-11-26
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nagios | log_server | to 2026 (exc) |
| nagios | log_server | 2026 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Nagios Log Server versions prior to 2026R1.0.1 and involves an authenticated command injection through the 'Natural Language Queries' feature. Configuration values for this feature are taken from application settings and used in system commands without proper validation or restriction of special characters. An authenticated user with access to global configuration can exploit this to execute arbitrary operating system commands with the privileges of the web server account, potentially compromising the Log Server host.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an authenticated user to execute arbitrary operating system commands on the Log Server host with the privileges of the web server account. This can lead to full compromise of the Log Server host, including unauthorized access, data manipulation, or disruption of services.