CVE-2026-2043
Command Injection in Nagios Host esensors_websensor_configwizard_func
Publication date: 2026-02-20
Last updated on: 2026-02-24
Assigner: Zero Day Initiative
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nagios | nagios_xi | 2026 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
I don't know
Can you explain this vulnerability to me?
This vulnerability is a command injection remote code execution flaw in Nagios Host, specifically in the esensors_websensor_configwizard_func method. It occurs because the software does not properly validate a user-supplied string before using it to execute a system call. An attacker who is authenticated can exploit this flaw to execute arbitrary code on the affected system with the privileges of the service account.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an authenticated attacker to execute arbitrary code remotely on the affected Nagios Host system. This can lead to full compromise of the service account running Nagios Host, potentially allowing the attacker to manipulate system operations, access sensitive data, disrupt services, or use the system as a foothold for further attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know