CVE-2024-14006 HIGH

CVE-2024-14006: Nagios XI < 2024R1.2.2 Host Header Injection

Weakness CWE-346 · Origin validation
Published October 30, 2025
Last update November 17, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Nagios XI versions prior to 2024R1.2.2 contain a host header injection vulnerability. The application trusts the user-supplied HTTP Host header when constructing absolute URLs without sufficient validation. An unauthenticated, remote attacker can supply a crafted Host header to poison generated links or responses, which may facilitate phishing of credentials, account recovery link hijacking, and web cache poisoning.

Key dates

02Disclosure timeline

October 30, 2025 CVE published
November 17, 2025 Record updated