CVE-2020-36862 MEDIUM

CVE-2020-36862: Nagios XI < 5.6.11 Unauthenticated XSS and SSRF via Highcharts

Vendor Nagios
Product XI
Weakness CWE-79 · XSS
Published October 30, 2025
Last update November 17, 2025
View on NVD All CVEs

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

What the vulnerability does

01Description

Nagios XI versions prior to 5.6.11 contain unauthenticated vulnerabilities in the Highcharts local exporting tool. Crafted export requests could (1) inject script into exported/returned content due to insufficient output encoding (XSS), and (2) cause the server to fetch attacker-specified URLs (SSRF), potentially accessing internal network resources. An unauthenticated remote attacker can leverage these issues to execute script in a user's browser when the exported content is viewed and to disclose sensitive information reachable from the export server via SSRF.

Key dates

02Disclosure timeline

October 30, 2025 CVE published
November 17, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-25491 Craft has a Stored XSS in Entry Types Name CVE-2018-5405 The Quest Kace K1000 Appliance is vulnerable to JavaScript injection. CVE-2024-6355 Genexis Tilgin Fiber Home Gateway HG1522 cross site scripting CVE-2026-2838 Whole Enquiry Cart for WooCommerce <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'woowhole_success_msg' Parameter CVE-2026-27122 Svelte SSR does not validate dynamic element tag names in `<svelte:element>`