CVE-2024-38866: 
Linux Debian vulnerability analysis and mitigation

A vulnerability has been identified in Nagvis before version 1.9.47, tracked as CVE-2024-38866. The vulnerability relates to improper neutralization of input which can lead to livestatus injection. The issue was discovered and fixed in May 2025, with the patch being merged through a pull request by user Shortfinga (NagVis Changelog, GitHub PR).

The vulnerability has been assigned a CVSS 4.0 Base Score of 5.3 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L. The issue is related to improper neutralization of delimiters (CWE-140) in the dynmap functionality of Nagvis (NVD).

The vulnerability can lead to livestatus injection attacks, potentially affecting the system's security by allowing manipulation of livestatus queries. The impact is primarily focused on system integrity, as indicated by the CVSS scoring which shows low impact on confidentiality and availability but some impact on system integrity (NagVis Changelog).

The vulnerability has been fixed in Nagvis version 1.9.47. Users are advised to upgrade to this version to mitigate the risk. The fix specifically addresses the livestatus injection vulnerability through improved input validation (NagVis Changelog).