CVE-2016-15049 MEDIUM

CVE-2016-15049: Nagios Log Server < 1.4.2 Dashboards Logs Table XSS

Vendor Nagios

Product Log Server

Weakness CWE-79 · XSS

Published October 30, 2025

Last update November 17, 2025

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Nagios Log Server versions prior to 1.4.2 are vulnerable to cross-site scripting (XSS) in the Dashboards section when rendering log entries in the Logs table. Untrusted log content was not safely encoded for the output context, allowing attacker-controlled data present in logs to execute script in the victim’s browser within the application origin.

Key dates

02Disclosure timeline

October 30, 2025 CVE published

November 17, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2016-15049 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2023-40330 WordPress GD Security Headers Plugin <= 1.6.1 is vulnerable to Cross Site Scripting (XSS) CVE-2025-0706 JoeyBling bootplus admin.html cross site scripting CVE-2024-4707 Materialis Companion <= 1.3.41 - Authenticated (Contributor+) Store Cross-Site Scripting via materialis_contact_form Shortcode CVE-2025-6261 Fleetwire Fleet Management Plugin <= 1.0.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via fleetwire_list Shortcode CVE-2023-4136 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafter Engine