Nagios XI versions prior to 5.7.5 contain a SQL injection vulnerability in the SNMP Trap Interface edit page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is not properly sanitized, allowing SQL injection that may lead to unauthorized disclosure or modification of application data or execution of arbitrary SQL commands against the backend database.
PUBLISHED5.2CWE-89
Nagios XI < 5.7.5 SQL injection via SNMP Trap Interface Edit Page
Problem type
Affected products
Nagios
XI
< 5.7.5 - AFFECTED
References
nagios.com
https://www.nagios.com/changelog/nagios-xi/
vulncheck.com
https://www.vulncheck.com/advisories/nagios-xi-sqli-via-snmp-trap-interface-edit-page
JSON source
Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2020-36869",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2025-10-31T13:23:30.086Z",
"dateReserved": "2025-10-30T14:33:17.565Z",
"datePublished": "2025-10-30T21:45:10.468Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2025-10-30T21:45:10.468Z"
},
"title": "Nagios XI < 5.7.5 SQL injection via SNMP Trap Interface Edit Page",
"descriptions": [
{
"lang": "en",
"value": "Nagios XI versions prior to 5.7.5 contain a SQL injection vulnerability in the SNMP Trap Interface edit page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is not properly sanitized, allowing SQL injection that may lead to unauthorized disclosure or modification of application data or execution of arbitrary SQL commands against the backend database.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "Nagios XI versions prior to 5.7.5 contain a SQL injection vulnerability in the SNMP Trap Interface edit page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is not properly sanitized, allowing SQL injection that may lead to unauthorized disclosure or modification of application data or execution of arbitrary SQL commands against the backend database.<br>"
}
]
}
],
"affected": [
{
"vendor": "Nagios",
"product": "XI",
"modules": [
"Web UI – SNMP Trap Interface: edit page / parameter handler"
],
"defaultStatus": "unaffected",
"versions": [
{
"version": "0",
"status": "affected",
"versionType": "semver",
"lessThan": "5.7.5"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
"cweId": "CWE-89",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.nagios.com/changelog/nagios-xi/",
"tags": [
"release-notes",
"patch"
]
},
{
"url": "https://www.vulncheck.com/advisories/nagios-xi-sqli-via-snmp-trap-interface-edit-page",
"tags": [
"third-party-advisory"
]
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"solutions": [
{
"lang": "en",
"value": "Nagios addresses this vulnerability as \"Fixed SQL injection vulnerability in the edit page for SNMP Trap Interface.\"",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "Nagios addresses this vulnerability as \"Fixed SQL injection vulnerability in the edit page for SNMP Trap Interface.\"<br>"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Matthew Aberegg",
"type": "finder"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2025-10-31T13:23:30.086Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}