Nagios Log Server < 2026R1.0.1 Authenticated Command Injection via Natural...

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability via the experimental 'Natural Language Queries' feature. Configuration values for this feature are read from the application settings and incorporated into a system command without adequate validation or restriction of special characters. An authenticated user with access to global configuration can abuse these settings to execute arbitrary operating system commands with the privileges of the web server account, leading to compromise of the Log Server host.

AI Analysis

Authenticated command injection vulnerability via the experimental 'Natural Language Queries' feature

Basic Information

ID CVE-2025-34322

Source VulnCheck

Published Nov 17, 2025 at 17:48

Modified Nov 17, 2025 at 21:36

Affected Product

Vendor Nagios

Product Log Server

Affected Versions Nagios Log Server 0

CWE Classification

CWE-78

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor Nagios

Product Nagios Log Server

Version < 2026R1.0.1

References

{
    "lastseen": "",
    "description": "Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability via the experimental 'Natural Language Queries' feature. Configuration values for this feature are read from the application settings and incorporated into a system command without adequate validation or restriction of special characters. An authenticated user with access to global configuration can abuse these settings to execute arbitrary operating system commands with the privileges of the web server account, leading to compromise of the Log Server host.",
    "published": "2025-11-17T17:48:04.503Z",
    "modified": "2025-11-17T21:36:26.201Z",
    "type": "cve",
    "title": "Nagios Log Server < 2026R1.0.1 Authenticated Command Injection via Natural Language Queries",
    "source": "VulnCheck",
    "references": "https://www.nagios.com/products/security/#log-server\nhttps://www.nagios.com/changelog/nagios-log-server/nagios-log-server-2026r1-0-1/\nhttps://www.vulncheck.com/advisories/nagios-log-server-authenticated-command-injection-via-natural-language-queries",
    "id": "CVE-2025-34322",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "Nagios Log Server 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Log Server",
    "version": "0",
    "vendor": "Nagios",
    "ai_description": "Authenticated command injection vulnerability via the experimental 'Natural Language Queries' feature",
    "ai_severity": "High",
    "ai_vendor": "Nagios",
    "ai_product": "Nagios Log Server",
    "ai_version": "< 2026R1.0.1",
    "ai_score": 8.6
}

Nagios Log Server < 2026R1.0.1 Authenticated Command Injection via Natural Language Queries_CVE-2025-34322