What is the CVSS score of CVE-2026-2043?

CVE-2026-2043 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 1.2%.

Which versions of Nagios Xi are affected by CVE-2026-2043?

A critical remote code execution vulnerability (CVE-2026-2043) has been discovered in Nagios Host monitoring systems with no vendor patch currently available.

How to fix or mitigate CVE-2026-2043?

Within 24 hours: Identify and inventory all Nagios Host installations and assess which systems are internet-facing or accessible from untrusted networks; immediately disable the esensors_websensor_configwizard_func component if not actively used. Within 7 days: Implement network segmentation to restrict access to Nagios Host systems to authorized administrators only; deploy web application firewall rules to block suspicious input to the vulnerable function; apply vendor security advisories as they become available. Within 30 days: Plan for immediate patching once vendor releases a fix; consider migration to alternative monitoring solutions if patching timeline becomes unacceptable; conduct comprehensive audit of Nagios Host systems for signs of compromise.

Nagios Xi CVE-2026-2043

HIGH

OS Command Injection (CWE-78)

2026-02-20 zdi-disclosures@trendmicro.com

RCE Command Injection Nagios Xi

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:04 vuln.today

CVE Published

Feb 20, 2026 - 23:16 nvd

HIGH 8.8

DescriptionCVE.org

Nagios Host esensors_websensor_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability.

The specific flaw exists within the esensors_websensor_configwizard_func method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28249.

AnalysisAI

Remote code execution in Nagios Xi through command injection in the esensors_websensor_configwizard_func method allows authenticated attackers to execute arbitrary commands with service account privileges. The vulnerability stems from insufficient input validation on user-supplied parameters passed to system calls. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to Nagios Host interface

Exploit

Call esensors_websensor_configwizard_func method

Execution

Inject shell metacharacters in user-supplied string

Impact

Execute arbitrary code as service account

Access

Authenticate to Nagios Host interface

Exploit

Call esensors_websensor_configwizard_func method

Execution

Inject shell metacharacters in user-supplied string

Impact

Execute arbitrary code as service account

Vulnerability AssessmentAI

Exploitation	Valid authentication credentials for Nagios Host required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A remote attacker could exploit this vulnerability to execute arbitrary code on affected installations of Nagios Host.
Remediation	Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all Nagios Host installations and assess which systems are internet-facing or accessible from untrusted networks; immediately disable the esensors_websensor_configwizard_func component if not actively used. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-2043 vulnerability details – vuln.today

Back

Nagios Xi CVE-2026-2043

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code