Skip to main content

Infra Monitoring

1 CVEs product

Monthly

CVE-2026-14453 CRITICAL PATCH Act Now

Server-Side Template Injection in Centreon's centreon-open-tickets module enables authenticated users to achieve remote code execution on the Centreon Infra Monitoring server. The message_confirm field is persisted without sanitization and later rendered by the Smarty template engine with no security policy applied, so injected template directives execute as server-side code. Rated CVSS 9.6 with a scope change; no public exploit identified at time of analysis and no EPSS score supplied, but the low authentication barrier and RCE outcome make this a high-priority patch.

Code Injection RCE Infra Monitoring
NVD GitHub
CVSS 3.1
9.6
EPSS
0.5%
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Server-Side Template Injection in Centreon's centreon-open-tickets module enables authenticated users to achieve remote code execution on the Centreon Infra Monitoring server. The message_confirm field is persisted without sanitization and later rendered by the Smarty template engine with no security policy applied, so injected template directives execute as server-side code. Rated CVSS 9.6 with a scope change; no public exploit identified at time of analysis and no EPSS score supplied, but the low authentication barrier and RCE outcome make this a high-priority patch.

Code Injection RCE Infra Monitoring
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy