Security Bulletins

February 2026 monthly security bulletin for Centreon Infra Monitoring - CRITICALSecurity Bulletin

Publication date: February 26th, 2026 Component: centreon-open-ticketsList of vulnerabilities: 2Description: A path traversal vulnerability in the Open Tickets file upload allows an authenticated user to write or delete arbitrary files.Reference: CVE-2026-2749CVSS: 9.9Severity: CriticalStatus: Fixes have been provided for all supported versions and it is recommended to update Centreon Open Tickets on Central Server:Centreon Open Tickets 25.10.3

3950

lpinsivyCentreonian

CVE-2025-13050 - Centreon Web - MEDIUM SeveritySecurity bulletin

Publication date: February 25th, 2026Components: centreon-webDescription: Broken Function Level Authorization allows execution of poller post-restart commands by authenticated user.Reference: CVE-2025-13050CVSS: 5.4Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 25.10.9

970

lpinsivyCentreonian

CVE-2025-12523 - Centreon Web - MEDIUM SeveritySecurity bulletin

Publication date: February 25th, 2026Components: centreon-webDescription: Broken Object Level Authorization in Users Configuration Endpoint allows Information Disclosure to authenticated user.Reference: CVE-2025-12523CVSS: 6.5Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 25.10.6

1090

lpinsivyCentreonian

CVE-2026-2751 - Centreon Web - HIGH SeveritySecurity Bulletin

Publication date: February 25th, 2026Components: centreon-webDescription: Blind SQL Injection via unsanitized array keys in Service Dependencies deletion.Reference: CVE-2026-2751CVSS: 8.1Severity: High Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 25.10.8 Centreon We

1480

lpinsivyCentreonian

CVE-2026-2750 - Centreon Web - CRITICAL SeveritySecurity Bulletin

Publication date: February 25th, 2026Components: centreon-webDescription: Improper input validation leads to remote code execution on CLAPI.Reference: CVE-2026-2750CVSS: 9.1Severity: Critical Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Open Tickets on Central Server:Centreon Web 25.10.8 Centreon We

2910

lpinsivyCentreonian

CVE-2026-2749 - Centreon Open Tickets - CRITICAL SeveritySecurity bulletin

Publication date: February 24th, 2026Components: centreon-open-ticketsDescription: A path traversal vulnerability in the Open Tickets file upload allows an authenticated user to write or delete arbitrary files.Reference: CVE-2026-2749CVSS: 9.9Severity: Critical Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Open Tickets on Central Server:Centreon Open Tickets 25.10.3

4170

lpinsivyCentreonian

CVE-2025-43865, CVE-2025-43864 - Centreon 25.10 IT & Business EditionsSecurity Bulletin

Publication date: January 15th, 2026Components: centreon-anomaly-detection, centreon-autodiscovery-server, centreon-it-edition-extensions, centreon-license-manager, centreon-map4-web-clientDescription: Upgraded react-router 7.2.0 to 7.5.2 to prevent vulnerabilities.Reference: CVE-2025-43865, CVE-2025-43864CVSS: 8.2Severity: High Status: Only version 25.10.x of Centreon Infra Monitoring is concerned and it is recommended to update Centreon Web on Central Server. This version incl

2702

lpinsivyCentreonian

CVE-2025-5965 - Centreon Web - HIGH SeveritySecurity Bulletin

Publication date: January 8th, 2026Components: centreon-webDescription: RCE via the backup feature available only to user with high privilege.Reference: CVE-2025-5965CVSS: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:

7040

lpinsivyCentreonian

CVE-2025-13056 - Centreon Web - MEDIUM SeveritySecurity Bulletin

Publication date: January 8th, 2026Components: centreon-webDescription: A user with elevated privileges can inject XSS in the Administration ACL Menus configuration page.Reference: CVE-2025-13056CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:

6032

lpinsivyCentreonian

CVE-2025-12511 - Centreon DSM - MEDIUM SeveritySecurity Bulletin

Publication date: January 8th, 2026Components: centreon-dsm-serverDescription: A user with elevated privileges can inject XSS in the DSM Administration’s Extensions configuration page.Reference: CVE-2025-12511CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon DSM on Central Server:

6200

lpinsivyCentreonian

CVE-2025-12513 - Centreon Web - MEDIUM SeveritySecurity Bulletin

Publication date: January 8th, 2026Components: centreon-webDescription: A user with elevated privileges can inject XSS in the Hosts configuration parameters page.Reference: CVE-2025-12513CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:

5810

lpinsivyCentreonian

CVE-2025-12519 - Centreon Web - MEDIUM SeveritySecurity Bulletin

Publication date: January 8th, 2026Components: centreon-webDescription: Information disclosure on Administration parameters API endpoint.Reference: CVE-2025-12519CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:

5700

lpinsivyCentreonian

CVE-2025-15026 - Centreon AWIE - Critical SeveritySecurity Bulletin

Publication date: January 8th, 2026Components: centreon-awieDescription: Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs.Reference: CVE-2025-15026CVSS: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)Severity: Critical Status: Fixes have been provided for all supported versions and it is recommended to update Centreon AWIE on Centra

7360

lpinsivyCentreonian

CVE-2025-15029 - Centreon AWIE - CRITICAL SeveritySecurity Bulletin

Publication date: January 8th, 2026Components: centreon-awieDescription: An unauthenticated user is able to introduce SQL Injection using the AWIE export module.Reference: CVE-2025-15029CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)Severity: Critical Status: Fixes have been provided for all supported versions and it is recommended to update Centreon AWIE on Central Server:

7340

lpinsivyCentreonian

CVE-2025-8460 - Centreon Open Tickets - Medium SeveritySecurity Bulletin

Publication date: December 18th, 2025Components: centreon-open-ticketsDescription: A user with elevated privileges is able to introduce a SQL Injection using the Open-tickets Notification rules configuration parameters.Reference: CVE-2025-8460CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Open Tickets 25.

3400

lpinsivyCentreonian

CVE-2025-12514 - Centreon Open Tickets - High SeveritySecurity Bulletin

Publication date: December 18th, 2025Components: centreon-open-ticketsDescription: A user with elevated privileges is able to introduce a SQL Injection using the Open-tickets Notification rules configuration parameters.Reference: CVE-2025-12514CVSS: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)Severity: High Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Open Tickets 25

4100

lpinsivyCentreonian

CVE-2025-54890 - Centreon Web - MEDIUM severitySecurity Bulletin

Publication date: December 18th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the Hostgroups configuration page.Reference: CVE-2025-54890CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:

3590

fgbetokpanouCentreonian

Security Alert: Preventive Actions Taken by Centreon Against the "Shai-Hulud 2.0" Campaignsecurity alert

The “Shai-Hulud 2.0” Campaign Since November 23rd, a major supply chain attack, named "Shai-Hulud 2.0", has been developing. This attack was quickly documented by major software and security players, notably GitLab on November 24th (https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/) and CERT-FR on November 27th (https://www.cert.ssi.gouv.fr/actualite/CERTFR-2025-ACT-051/). This attack spreads by compromising packages used as dependencies by many software solutions. Impact of Shai-Hulud 2.0 on Centreon To date, Centreon has detected no ev

2350

4 months ago

lpinsivyCentreonian

CVE-2025-8432 - Centreon MBI - HIGH severitySecurity Bulletin

Publication date: October 30th, 2025Components: centreon-bi-serverDescription: CentreonBI user account on the MBI server can execute commands as root by modifying script runned by the CRON.Reference: CVE-2025-8432CVSS: 8.4 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H)Severity: High Status: Fixes have been provided for all supported versions and it is recommended to update Centreon MBI on Central Server:

5350

lpinsivyCentreonian

CVE-2025-10023 - Centreon Web all versions - MEDIUM severitySecurity Bulletin

Publication date: October 30th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the Meta-Service configuration page.Reference: CVE-2025-10023CVSS: 6.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N/E:F/RL:U/RC:C)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:

5430

lpinsivyCentreonian

CVE-2025-54889 - Centreon Web all versions - MEDIUM severitySecurity Bulletin

Publication date: September 24th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the SNMP traps manufacturer configuration page.Reference: CVE-2025-54889CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13

5430

lpinsivyCentreonian

CVE-2025-54891 - Centreon Web all versions - MEDIUM severitySecurity Bulletin

Publication date: September 24th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the ACL Resources access configuration page.Reference: CVE-2025-54891CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13

4310

lpinsivyCentreonian

CVE-2025-54892 - Centreon Web all versions - MEDIUM severitySecurity Bulletin

Publication date: September 24th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the SNMP Traps group configuration page.Reference: CVE-2025-54892CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13

3640

lpinsivyCentreonian

CVE-2025-54893 - Centreon Web all versions - MEDIUM severitySecurity Bulletin

Publication date: September 24th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the Hosts templates configuration page.Reference: CVE-2025-54893CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13

3730

lpinsivyCentreonian

CVE-2025-8459 - Centreon Web all versions - HIGH severitySecurity Bulletin

Publication date: September 24th, 2025Components: centreon-webDescription: A user with low privileges can inject XSS in the Monitoring Recurrent downtimes page.Reference: CVE-2025-8459CVSS: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)Severity: High Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13

5170