CVE-2016-15050: 
Nagios XI vulnerability analysis and mitigation

Nagios XI versions prior to 5.2.4 contain a SQL injection vulnerability in the notification search functionality. The vulnerability was discovered and disclosed on October 30, 2025, identified as CVE-2016-15050. The issue affects the notification search feature where user-supplied search parameters were incorporated into SQL statements without proper security measures (VulnCheck Advisory).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The issue stems from inadequate parameterization or sanitation of user input in SQL statements within the notification search functionality. The vulnerability has received a CVSS v4.0 score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (VulnCheck Advisory).

Successful exploitation of this vulnerability could allow an authenticated attacker to disclose or modify notification data. In some cases, the impact could extend to broader manipulation of the application database. The vulnerability requires authenticated access but could lead to significant data exposure or modification (VulnCheck Advisory).

The vulnerability has been patched in Nagios XI version 5.2.4. Organizations running affected versions should upgrade to version 5.2.4 or later to address this security issue (Nagios Changelog).