Security Bulletins

CVE-2025-43865, CVE-2025-43864 - Centreon 25.10 IT & Business EditionsSecurity Bulletin

Publication date: January 15th, 2026Components: centreon-anomaly-detection, centreon-autodiscovery-server, centreon-it-edition-extensions, centreon-license-manager, centreon-map4-web-clientDescription: Upgraded react-router 7.2.0 to 7.5.2 to prevent vulnerabilities.Reference: CVE-2025-43865, CVE-2025-43864CVSS: 8.2Severity: High Status: Only version 25.10.x of Centreon Infra Monitoring is concerned and it is recommended to update Centreon Web on Central Server. This version incl

2352

lpinsivyCentreonian

CVE-2025-5965 - Centreon Web - HIGH SeveritySecurity Bulletin

Publication date: January 8th, 2026Components: centreon-webDescription: RCE via the backup feature available only to user with high privilege.Reference: CVE-2025-5965CVSS: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:

6680

lpinsivyCentreonian

CVE-2025-13056 - Centreon Web - MEDIUM SeveritySecurity Bulletin

Publication date: January 8th, 2026Components: centreon-webDescription: A user with elevated privileges can inject XSS in the Administration ACL Menus configuration page.Reference: CVE-2025-13056CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:

5882

lpinsivyCentreonian

CVE-2025-12511 - Centreon DSM - MEDIUM SeveritySecurity Bulletin

Publication date: January 8th, 2026Components: centreon-dsm-serverDescription: A user with elevated privileges can inject XSS in the DSM Administration’s Extensions configuration page.Reference: CVE-2025-12511CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon DSM on Central Server:

6080

lpinsivyCentreonian

CVE-2025-12513 - Centreon Web - MEDIUM SeveritySecurity Bulletin

Publication date: January 8th, 2026Components: centreon-webDescription: A user with elevated privileges can inject XSS in the Hosts configuration parameters page.Reference: CVE-2025-12513CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:

5690

lpinsivyCentreonian

CVE-2025-12519 - Centreon Web - MEDIUM SeveritySecurity Bulletin

Publication date: January 8th, 2026Components: centreon-webDescription: Information disclosure on Administration parameters API endpoint.Reference: CVE-2025-12519CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:

5570

lpinsivyCentreonian

CVE-2025-15026 - Centreon AWIE - Critical SeveritySecurity Bulletin

Publication date: January 8th, 2026Components: centreon-awieDescription: Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs.Reference: CVE-2025-15026CVSS: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)Severity: Critical Status: Fixes have been provided for all supported versions and it is recommended to update Centreon AWIE on Centra

7280

lpinsivyCentreonian

CVE-2025-15029 - Centreon AWIE - CRITICAL SeveritySecurity Bulletin

Publication date: January 8th, 2026Components: centreon-awieDescription: An unauthenticated user is able to introduce SQL Injection using the AWIE export module.Reference: CVE-2025-15029CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)Severity: Critical Status: Fixes have been provided for all supported versions and it is recommended to update Centreon AWIE on Central Server:

7170

lpinsivyCentreonian

CVE-2025-8460 - Centreon Open Tickets - Medium SeveritySecurity Bulletin

Publication date: December 18th, 2025Components: centreon-open-ticketsDescription: A user with elevated privileges is able to introduce a SQL Injection using the Open-tickets Notification rules configuration parameters.Reference: CVE-2025-8460CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Open Tickets 25.

3320

lpinsivyCentreonian

CVE-2025-12514 - Centreon Open Tickets - High SeveritySecurity Bulletin

Publication date: December 18th, 2025Components: centreon-open-ticketsDescription: A user with elevated privileges is able to introduce a SQL Injection using the Open-tickets Notification rules configuration parameters.Reference: CVE-2025-12514CVSS: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)Severity: High Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Open Tickets 25

3960

lpinsivyCentreonian

CVE-2025-54890 - Centreon Web - MEDIUM severitySecurity Bulletin

Publication date: December 18th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the Hostgroups configuration page.Reference: CVE-2025-54890CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:

3490

fgbetokpanouCentreonian

Security Alert: Preventive Actions Taken by Centreon Against the "Shai-Hulud 2.0" Campaignsecurity alert

The “Shai-Hulud 2.0” Campaign Since November 23rd, a major supply chain attack, named "Shai-Hulud 2.0", has been developing. This attack was quickly documented by major software and security players, notably GitLab on November 24th (https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/) and CERT-FR on November 27th (https://www.cert.ssi.gouv.fr/actualite/CERTFR-2025-ACT-051/). This attack spreads by compromising packages used as dependencies by many software solutions. Impact of Shai-Hulud 2.0 on Centreon To date, Centreon has detected no ev

2220

2 months ago

lpinsivyCentreonian

CVE-2025-8432 - Centreon MBI - HIGH severitySecurity Bulletin

Publication date: October 30th, 2025Components: centreon-bi-serverDescription: CentreonBI user account on the MBI server can execute commands as root by modifying script runned by the CRON.Reference: CVE-2025-8432CVSS: 8.4 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H)Severity: High Status: Fixes have been provided for all supported versions and it is recommended to update Centreon MBI on Central Server:

5260

3 months ago

lpinsivyCentreonian

CVE-2025-10023 - Centreon Web all versions - MEDIUM severitySecurity Bulletin

Publication date: October 30th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the Meta-Service configuration page.Reference: CVE-2025-10023CVSS: 6.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N/E:F/RL:U/RC:C)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:

5390

3 months ago

lpinsivyCentreonian

CVE-2025-54889 - Centreon Web all versions - MEDIUM severitySecurity Bulletin

Publication date: September 24th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the SNMP traps manufacturer configuration page.Reference: CVE-2025-54889CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13

5380

lpinsivyCentreonian

CVE-2025-54891 - Centreon Web all versions - MEDIUM severitySecurity Bulletin

Publication date: September 24th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the ACL Resources access configuration page.Reference: CVE-2025-54891CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13

4270

lpinsivyCentreonian

CVE-2025-54892 - Centreon Web all versions - MEDIUM severitySecurity Bulletin

Publication date: September 24th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the SNMP Traps group configuration page.Reference: CVE-2025-54892CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13

3590

lpinsivyCentreonian

CVE-2025-54893 - Centreon Web all versions - MEDIUM severitySecurity Bulletin

Publication date: September 24th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the Hosts templates configuration page.Reference: CVE-2025-54893CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13

3660

lpinsivyCentreonian

CVE-2025-8459 - Centreon Web all versions - HIGH severitySecurity Bulletin

Publication date: September 24th, 2025Components: centreon-webDescription: A user with low privileges can inject XSS in the Monitoring Recurrent downtimes page.Reference: CVE-2025-8459CVSS: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)Severity: High Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13

5110

lpinsivyCentreonian

CVE-2025-8430 - Centreon Web all versions - MEDIUM severitySecurity Bulletin

Publication date: September 24th, 2025Components: centreon-webDescription: A user with low privileges can inject XSS in the Monitoring Recurrent downtimes page.Reference: CVE-2025-8430CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13

3590

lpinsivyCentreonian

CVE-2025-8429 - Centreon Web all versions - MEDIUM severitySecurity Bulletin

Publication date: September 24th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the ACL Action access configuration pageReference: CVE-2025-8429CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13

3680

lpinsivyCentreonian

CVE-2016-10744 - Centreon Web all versions - MEDIUM severitySecurity Bulletin

Publication date: September 24th, 2025Components: centreon-webDescription:select2 is a jQuery-based replacement for select boxes. It supports searching, remote data sets, and pagination of results.Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to missing sanitization when HTML templates are used to display remotely-loaded data.Reference: CVE-2016-10744CVSS: 6.1Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:

990

lpinsivyCentreonian

CVE-2025-5946 - Centreon Web all versions - HIGH severitySecurity Bulletin

Publication date: September 24th, 2025Components: centreon-webDescription: RCE via the poller reload feature available only to user with high privilege.Reference: CVE-2025-5946CVSS: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)Severity: High Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13

5990

lpinsivyCentreonian

CVE-2025-8428 - Centreon Web all versions - MEDIUM severitySecurity Bulletin

Publication date: September 24th, 2025Components: centreon-webDescription: A user with minimal rights (monitoring) can inject a JavaScript payload into a custom view in order to spoof an administrator or supervisor's session.Reference: CVE-2025-8428CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N/E:F/RL:U/RC:C)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:

4140

lpinsivyCentreonian

Centreon Web all versions - Medium severitySecurity Bulletin

Publication date: September 24th, 2025Components: centreon-webDescription: upgraded jquery select2 to version 4.0.8Reference: linkCVSS: 4Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13 Centreon Web 24.04.18

1380