Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H
Network-reachable module needs only a low-privilege authenticated account (PR:L, AC:L); RCE escapes the app to the host (S:C) and permits secret disclosure, data modification, and disruption, so C/I/A all High.
Primary rating from Vendor (Centreon).
CVSS VectorVendor: Centreon
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
This vulnerability is a critical Server-Side Template Injection (SSTI) in Centreon's centreon-open-tickets module that leads to Remote Code Execution. The message_confirm field is stored without sanitization and rendered via Smarty with no security policy enabled, allowing any authenticated user, to inject and execute arbitrary code on the server. This results in disclosure of environment secrets and could impact platform availability of Centreon Infra Monitoring product.
AnalysisAI
Server-Side Template Injection in Centreon's centreon-open-tickets module enables authenticated users to achieve remote code execution on the Centreon Infra Monitoring server. The message_confirm field is persisted without sanitization and later rendered by the Smarty template engine with no security policy applied, so injected template directives execute as server-side code. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Centreon account (CVSS PR:L) with access to the centreon-open-tickets module's ticket/confirmation configuration, and the ability to save data into the message_confirm field, which is stored unsanitized and later rendered by Smarty with no security policy enabled - that missing security policy is the exact enabling condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals point to a genuine high priority rather than a paper-tiger high-CVSS issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been granted a low-privilege Centreon account navigates to the open-tickets module and saves a confirmation message containing Smarty template syntax (for example a {php} block or code-executing modifier) in the message_confirm field. When that message is subsequently rendered, Smarty compiles and executes the payload on the Centreon server, letting the attacker read environment secrets and run OS commands. … |
| Remediation | Upgrade Centreon and the centreon-open-tickets module to the latest fixed release published at https://github.com/centreon/centreon/releases; the provided intelligence points to a GitHub releases page rather than a single tagged fix version, so the released patched version is not independently confirmed here and the exact target build should be verified against Centreon's advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Centreon deployments with the centreon-open-tickets module installed; immediately restrict administrative access to essential personnel only and review recent access logs for suspicious activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43316
GHSA-623j-mjcm-f442