← Back to CVEs
CVE-2020-36863
HIGH8.8
Description
Nagios XI versions prior to 5.7.2 allow PHP files to be uploaded to the Audio Import directory and executed from that location. The upload handler did not properly restrict file types or enforce storage outside of the webroot, and the web server permitted execution within the upload directory. An authenticated attacker with access to the audio import feature could upload a crafted PHP file and then request it to achieve remote code execution with the privileges of the application service.
CVE Details
CVSS v3.1 Score8.8
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
Published10/30/2025
Last Modified11/5/2025
Sourcenvd
Honeypot Sightings0
Affected Products
nagios:nagios_xi
Weaknesses (CWE)
CWE-434
References
https://www.nagios.com/changelog/nagios-xi/(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/nagios-xi-unrestricted-file-upload-via-audio-import-directory(disclosure@vulncheck.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.