Skip to main content

Icinga Web 2 CVE-2025-27404

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-26 security-advisories@github.com
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Apr 05, 2026 - 14:30 nvd
Patch available
Analysis Generated
Mar 28, 2026 - 18:33 vuln.today
CVE Published
Mar 26, 2025 - 15:16 nvd
HIGH 7.6

DescriptionGitHub Advisory

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.

AnalysisAI

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Affected products include: Icinga Icinga Web 2. Version information: prior to 2.11.5.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2018-18249 CRITICAL POC
9.8 Dec 17

Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the

CVE-2022-24715 HIGH POC
8.8 Mar 08

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS

CVE-2022-24716 HIGH POC
7.5 Mar 08

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS

CVE-2020-24368 HIGH POC
7.5 Aug 19

Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker

CVE-2018-18250 HIGH POC
7.5 Dec 17

Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single '$' character as

CVE-2018-18246 MEDIUM POC
6.5 Dec 17

Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module

CVE-2018-18248 MEDIUM POC
6.1 Dec 17

Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string,

CVE-2018-18247 MEDIUM POC
5.4 Dec 17

Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter. Rated medium severity (CVSS 5.4), t

CVE-2025-27405 HIGH
7.6 Mar 26

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS

CVE-2022-24714 MEDIUM
5.3 Mar 08

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated medium severity (CV

CVE-2025-30164 MEDIUM
4.1 Mar 26

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated medium severity (CV

CVE-2025-27609 LOW
1.1 Mar 26

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated low severity (CVSS

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2025-27404 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy