CVE-2021-47693: 
Nagios XI vulnerability analysis and mitigation

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.3 / Nagios XI 5.8.5 contains a SQL injection vulnerability in the search text handling. The vulnerability was disclosed on October 30, 2025 and affects the configuration object editors functionality (VulnCheck Advisory).

The vulnerability stems from unsanitized user-supplied input being incorporated into SQL queries used by configuration object editors. This SQL injection vulnerability (CWE-89) has received a CVSS v4.0 Base Score of 8.7 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, indicating it is network accessible, requires low attack complexity, and can result in high impact to confidentiality, integrity, and availability (VulnCheck Advisory).

Successful exploitation of this vulnerability could lead to unauthorized disclosure or modification of configuration and application data. In some environments, it could potentially allow further compromise of the application or backend database. The vulnerability requires authenticated access to exploit (VulnCheck Advisory).

The vulnerability has been fixed in Nagios XI version 5.8.5 and CCM version 3.1.3. Users should upgrade to these or later versions to mitigate the vulnerability (Nagios Changelog).