CVE-2024-13993 MEDIUM

CVE-2024-13993: Nagios XI < 2024R1.1.2 Reflected XSS via Login Page on Older Browsers

Vendor Nagios
Product XI
Weakness CWE-79 · XSS
Published October 30, 2025
Last update November 17, 2025

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Nagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) via the login page when accessed with older web browsers. Insufficient validation or escaping of user-supplied input reflected by the login page can allow an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victim’s browser within the Nagios XI origin. The issue is observable under legacy browser behaviors; modern browsers may mitigate some vectors.

Key dates

02Disclosure timeline

October 30, 2025 CVE published
November 17, 2025 Record updated