Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.8

Nagios Host Configuration Wizard Allows Remote Code Execution

CVE-2026-2043
Summary

A security issue in Nagios Host's configuration wizard allows attackers who are already authenticated to execute malicious code on the server. This could lead to unauthorized access, data theft, or other serious security breaches. To protect your system, update Nagios Host to the latest version as soon as possible.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
nagios nagios_xi 2026 –
Original title
Nagios Host esensors_websensor_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installation...
Original description
Nagios Host esensors_websensor_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability.

The specific flaw exists within the esensors_websensor_configwizard_func method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28249.
nvd CVSS3.1 8.8
Vulnerability type
CWE-78 OS Command Injection
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026