{"api_version":"1","generated_at":"2026-07-12T14:34:03+00:00","cve":"CVE-2021-37223","urls":{"html":"https://cve.report/CVE-2021-37223","api":"https://cve.report/api/cve/CVE-2021-37223.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-37223","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-37223"},"summary":{"title":"CVE-2021-37223","description":"Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedulereport.php. Any authenticated user can create scheduled reports containing PDF screenshots of any view in the NagiosXI application. Due to lack of input sanitisation, the target page can be replaced with an SSRF payload to access internal resources or disclose local system files.","state":"PUBLISHED","assigner":"mitre","published_at":"2021-10-05 12:15:07","updated_at":"2026-07-09 01:16:58"},"problem_types":["CWE-918","n/a"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"4","severity":"","vector":"AV:N/AC:L/Au:S/C:P/I:N/A:N","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","baseScore":4,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"}}],"references":[{"url":"https://www.nagios.com/downloads/nagios-xi/change-log/","name":"https://www.nagios.com/downloads/nagios-xi/change-log/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes","Vendor Advisory"],"title":"Nagios XI Change Log - Nagios","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://nagios.com","name":"http://nagios.com","refsource":"MITRE","tags":[],"title":"Nagios - Network, Server and Log Monitoring Software","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-37223","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37223","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"37223","vulnerable":"1","versionEndIncluding":"5.8.4","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nagios","cpe5":"nagios_xi","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2021","cve_id":"37223","cve":"CVE-2021-37223","epss":"0.047810000","percentile":"0.908740000","score_date":"2026-07-11","updated_at":"2026-07-12 00:00:53"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2026-07-09T00:14:24.379Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.nagios.com/downloads/nagios-xi/change-log/"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"descriptions":[{"lang":"en","value":"Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedulereport.php. Any authenticated user can create scheduled reports containing PDF screenshots of any view in the NagiosXI application. Due to lack of input sanitisation, the target page can be replaced with an SSRF payload to access internal resources or disclose local system files."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2026-07-04T23:39:05.301Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"url":"https://www.nagios.com/downloads/nagios-xi/change-log/"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-37223","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedulereport.php. Any authenticated user can create scheduled reports containing PDF screenshots of any view in the NagiosXI application. Due to lack of input sanitisation, the target page can be replaced with an SSRF payload to access internal resources or disclose local system files."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://www.nagios.com/downloads/nagios-xi/change-log/","refsource":"MISC","url":"https://www.nagios.com/downloads/nagios-xi/change-log/"},{"name":"http://nagios.com","refsource":"MISC","url":"http://nagios.com"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2021-37223","datePublished":"2021-10-05T11:59:50.000Z","dateReserved":"2021-07-21T00:00:00.000Z","dateUpdated":"2026-07-09T00:14:24.379Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2021-10-05 12:15:07","lastModifiedDate":"2026-07-09 01:16:58","problem_types":["CWE-918","n/a"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","baseScore":4,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*","versionEndIncluding":"5.8.4","matchCriteriaId":"A557C416-195B-4B17-B66B-CC7C8C0AF923"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"37223","Ordinal":"1","Title":"CVE-2021-37223","CVE":"CVE-2021-37223","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"37223","Ordinal":"1","NoteData":"Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedulereport.php. Any authenticated user can create scheduled reports containing PDF screenshots of any view in the NagiosXI application. Due to lack of input sanitisation, the target page can be replaced with an SSRF payload to access internal resources or disclose local system files.","Type":"Description","Title":"CVE-2021-37223"},{"CveYear":"2021","CveId":"37223","Ordinal":"2","NoteData":"2021-10-05","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"37223","Ordinal":"3","NoteData":"2021-10-05","Type":"Other","Title":"Modified"}]}}}