CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-6791 – Second order SQL injection available to user with low privilege
https://notcve.org/view.php?id=CVE-2025-6791
22 Aug 2025 — On the monitoring event logs page, it is possible to alter the http request to insert a payload in the DB. Caused by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon web (Monitoring event logs modules) allows SQL Injection. This issue affects web: from 24.10.0 before 24.10.9, from 24.04.0 before 24.04.16, from 23.10.0 before 23.10.26. • https://github.com/centreon/centreon/releases • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-4650 – User with high privileges is able to introduce a SQLi using the Meta Service indicator page
https://notcve.org/view.php?id=CVE-2025-4650
22 Aug 2025 — User with high privileges is able to introduce a SQLi using the Meta Service indicator page. Caused by an Improper Neutralization of Special Elements used in an SQL Command.This issue affects web: from 24.10.0 before 24.10.9, from 24.04.0 before 24.04.16, from 23.10.0 before 23.10.26. • https://github.com/centreon/centreon/releases • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-4649 – ACL are not correctly taken into account in the display of the "event logs" page. This page requiring, high privileges, will display all available logs.
https://notcve.org/view.php?id=CVE-2025-4649
13 May 2025 — Improper Privilege Management vulnerability in Centreon web allows Privilege Escalation. ACL are not correctly taken into account in the display of the "event logs" page. This page requiring, high privileges, will display all available logs. This issue affects web: from 24.10.3 before 24.10.4, from 24.04.09 before 24.04.10, from 23.10.19 before 23.10.21, from 23.04.24 before 23.04.26. Improper Privilege Management vulnerability in Centreon web allows Privilege Escalation. ACL are not correctly taken into ac... • https://github.com/centreon/centreon/releases • CWE-269: Improper Privilege Management •
CVSS: 8.4EPSS: 0%CPEs: 5EXPL: 0CVE-2025-4648 – A user with elevated privileges can inject XSS by altering the content of a SVG media during the submit request.
https://notcve.org/view.php?id=CVE-2025-4648
13 May 2025 — Download of Code Without Integrity Check vulnerability in Centreon web allows Reflected XSS. A user with elevated privileges can inject XSS by altering the content of a SVG media during the submit request. This issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29. Download of Code Without Integrity Check vulnerability in Centreon web allows Reflected XSS. A user with elevated privileges can inje... • https://github.com/centreon/centreon/releases • CWE-494: Download of Code Without Integrity Check •
CVSS: 8.4EPSS: 0%CPEs: 5EXPL: 0CVE-2025-4647 – A user with elevated privileges can bypass sanitization measures by replacing the content of an existing SVG
https://notcve.org/view.php?id=CVE-2025-4647
13 May 2025 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon web allows Reflected XSS. A user with elevated privileges can bypass sanitization measures by replacing the content of an existing SVG. This issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29. • https://github.com/centreon/centreon/releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-4646 – A high privilege user is able to create and use a valid admin API token in centreon-web
https://notcve.org/view.php?id=CVE-2025-4646
13 May 2025 — Improper Privilege Management vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4. • https://github.com/centreon/centreon/releases • CWE-269: Improper Privilege Management •
CVSS: 8.3EPSS: 0%CPEs: 5EXPL: 0CVE-2025-3872 – Privilege escalation by altering payload in contact form
https://notcve.org/view.php?id=CVE-2025-3872
24 Apr 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon centreon-web (User configuration form modules) allows SQL Injection. A user with high privileges is able to become administrator by intercepting the contact form request and altering its payload. This issue affects Centreon: from 22.10.0 before 22.10.28, from 23.04.0 before 23.04.25, from 23.10.0 before 23.10.20, from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4. La vulnerabilidad de neutra... • https://github.com/centreon/centreon/releases • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-3767 – SQL Injection in Centreon BAM boolean KPI listing
https://notcve.org/view.php?id=CVE-2025-3767
22 Apr 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon BAM (Boolean KPi Listing modules) allows SQL Injection. This page is only accessible to authenticated users with high privileges. This issue affects Centreon BAM: from 24.10 before 24.10.1, from 24.04 before 24.04.5, from 23.10 before 23.10.10, from 23.04 before 23.04.10. La vulnerabilidad de Neutralización Incorrecta de Elementos Especiales utilizados en un Comando SQL ('Inyección SQL') en Centreo... • https://github.com/centreon/centreon/releases • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45755
https://notcve.org/view.php?id=CVE-2024-45755
25 Nov 2024 — An issue was discovered in Centreon centreon-dsm-server 24.10.x before 24.10.0, 24.04.x before 24.04.3, 23.10.x before 23.10.1, 23.04.x before 23.04.3, and 22.10.x before 22.10.2. SQL injection can occur in the form to configure Centreon DSM slots. Exploitation is only accessible to authenticated users with high-privileged access. • https://github.com/centreon/centreon/releases • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45756
https://notcve.org/view.php?id=CVE-2024-45756
25 Nov 2024 — An issue was discovered in Centreon centreon-open-tickets 24.10.x before 24.10.0, 24.04.x before 24.04.2, 23.10.x before 23.10.1, 23.04.x before 23.04.3, and 22.10.x before 22.10.2. SQL injection can occur in the form to create a ticket. Exploitation is only accessible to authenticated users with high-privileged access. • https://github.com/centreon/centreon/release • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •