Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Icinga — Vulnerabilities & Security Advisories 28

Browse all 28 CVE security advisories affecting Icinga. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Icinga is an open-source network monitoring system designed to track the availability and performance of IT infrastructure components, serving as a scalable alternative to Nagios. Its architecture relies on a master-satellite topology, allowing distributed monitoring across complex environments. Historically, security assessments have identified vulnerabilities primarily within its web interface and API components, with common flaw classes including cross-site scripting (XSS), improper access control, and remote code execution (RCE). These issues often stem from insufficient input validation or misconfigured permissions in older releases. While no single catastrophic breach has defined its public history, the accumulation of twenty-seven recorded CVEs highlights the necessity for rigorous patch management. Administrators must prioritize updating to mitigate risks associated with exposed endpoints, ensuring that the monitoring tool itself does not become an entry point for attackers seeking to compromise underlying network assets.

Top products by Icinga: icinga2 icingaweb2 icingaweb2-module-director ipl-web icingadb-web icingaweb2-module-jira icingaweb2-module-incubator icingaweb2-module-reporting icinga-powershell-framework
CVE IDTitleCVSSSeverityPublished
CVE-2026-42224 ipl/web is vulnerable to reflected XSS by malformed search requests — ipl-webCWE-79 7.6 High2026-05-08
CVE-2026-24414 Icinga for Windows certificate can have too-open permissions — icinga-powershell-frameworkCWE-276 5.5AIMediumAI2026-01-29
CVE-2026-24413 Icinga has insecure permission of %ProgramData%\icinga2\var on Windows — icinga2CWE-276 5.5AIMediumAI2026-01-29
CVE-2025-61909 Icinga 2 signals sent as root to processes based on PID file written by the Icinga 2 daemon user — icinga2CWE-250 3.3AILowAI2025-10-16
CVE-2025-61908 Icinga 2 Denial of Service (DoS) By Dereferencing Invalid Reference — icinga2CWE-476 6.5AIMediumAI2025-10-16
CVE-2025-61907 Icinga 2 API users could access restricted values in filter expressions — icinga2CWE-200 6.5AIMediumAI2025-10-16
CVE-2025-61789 Icinga DB Web hidden/protected custom variables are prone to filter enumeration — icingadb-webCWE-204 5.3 Medium2025-10-16
CVE-2025-53840 Icinga DB Web Exposure of Sensitive Information to an Unauthorized Actor vulnerability — icingadb-webCWE-200 2.4 Low2025-07-16
CVE-2025-48057 Icinga 2 certificate renewal might incorrectly renew an invalid certificate — icinga2CWE-296 7.4AIHighAI2025-05-27
CVE-2025-30164 Icinga Web 2 has open redirect on login page — icingaweb2CWE-601 4.1 Medium2025-03-26
CVE-2025-27609 Icinga Web 2 Vulnerable to Reflected XSS — icingaweb2CWE-79 6.1AIMediumAI2025-03-26
CVE-2025-27406 Icinga Reporting Stored XSS leads to SSRF — icingaweb2-module-reportingCWE-79 7.7 High2025-03-26
CVE-2025-27405 Icinga Web 2 has XSS in embedded content — icingaweb2CWE-79 7.7 High2025-03-26
CVE-2025-27404 Icinga Web 2 DOM-based XSS vulnerability — icingaweb2CWE-79 7.7 High2025-03-26
CVE-2025-23203 Icinga has rest API endpoints accessible to restricted users — icingaweb2-module-directorCWE-200 5.5 Medium2025-03-26
CVE-2024-49369 Icinga 2 has a TLS Certificate Validation Bypass for JSON-RPC and HTTP API Connections — icinga2CWE-295 9.8 Critical2024-11-12
CVE-2024-41811 ipl/web susceptible to Cross-Site Request Forgery (CSRF) — ipl-webCWE-352 3.9 Low2024-08-05
CVE-2024-24819 icingaweb2-module-incubator base implementation for HTML forms is susceptible to CSRF — icingaweb2-module-incubatorCWE-352 5.3 Medium2024-02-09
CVE-2024-24820 Icinga Director configuration is susceptible to Cross-Site Request Forgery — icingaweb2-module-directorCWE-352 8.3 High2024-02-09
CVE-2023-30607 icingaweb2-module-jira template and field configuration are susceptible to CSRF — icingaweb2-module-jiraCWE-352 5.0 Medium2023-07-05
CVE-2022-24714 Disclosure of hosts and related data, linked to decommissioned services in Icinga Web 2 — icingaweb2CWE-863 5.3 Medium2022-03-08
CVE-2022-24716 Path traversal in Icinga Web 2 — icingaweb2CWE-22 7.5 High2022-03-08
CVE-2022-24715 Arbitrary code execution for authenticated users in Icinga Web 2 — icingaweb2CWE-22 8.5 High2022-03-08
CVE-2021-37698 Missing TLS service certificate validation in GelfWriter, ElasticsearchWriter, InfluxdbWriter and Influxdb2Writer — icinga2CWE-295 7.5 High2021-08-19
CVE-2021-32743 Passwords used to access external services inadvertently exposed through API — icinga2CWE-202 8.8 High2021-07-15
CVE-2021-32739 Results of queries for ApiListener objects include the ticket salt which allows in turn to steal (more privileged) identities — icinga2CWE-267 8.8 High2021-07-15
CVE-2021-32747 Custom variable protection and blacklists can be circumvented — icingaweb2CWE-200 5.3 Medium2021-07-12
CVE-2021-32746 Possible path traversal by use of the `doc` module — icingaweb2CWE-22 5.3 Medium2021-07-12

This page lists every published CVE security advisory associated with Icinga. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.