This page lists publicly disclosed CVE vulnerabilities affecting centreon centreon_web (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-2751 | Blind SQL Injection via unsanitized array keys in Service Dependencies deletion. Vulnerability in Centreon Centreon Web on Central Server on Linux (Service Dependencies modules) allows Blind SQL Injection.This issue affects Centreon Web on Central Server before 25.10.8, 24.10.20, 24.04.24. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 8.3 | 0.06% | 2026-02-27 | 2026-03-09 |
| CVE-2025-12513 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Hosts configuration form modules) allows Stored XSS to users with high privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 6.8 | 0.01% | 2026-01-05 | 2026-01-26 |
| CVE-2025-13056 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Administration ACL menu configuration modules) allows Stored XSS to users with high privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 6.8 | 0.01% | 2026-01-05 | 2026-01-26 |
| CVE-2025-12519 | Missing Authorization vulnerability in Centreon Infra Monitoring (Administration parameters API endpoint modules) allows Accessing Functionality Not Properly Constrained by ACLs, resulting in Information Disclosure like downtime or acknowledgement configurations. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 5.3 | 0.01% | 2026-01-05 | 2026-01-26 |
| CVE-2025-5965 | In the backup parameters, a user with high privilege is able to concatenate custom instructions to the backup setup. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Centreon Infra Monitoring (Backup configuration in the administration setup modules) allows OS Command Injection.This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 7.2 | 0.16% | 2026-01-05 | 2026-01-26 |
| CVE-2025-54890 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Hostgroup configuration page) allows Stored XSS by users with elevated privileges.This issue affects Infra Monitoring: from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19, from 23.10.0 before 23.10.29. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 6.8 | 0.01% | 2025-12-22 | 2026-01-26 |
| CVE-2025-10023 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Services Meta-services modules) allows Stored XSS by users with elevated privileges.This issue affects Infra Monitoring: from 24.10.0 before 24.10.9, from 24.04.0 before 24.04.16, from 23.10.0 before 23.10.26. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 6.2 | 0.01% | 2025-10-27 | 2026-01-26 |
| CVE-2025-8459 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Monitoring recurrent downtime scheduler modules) allows Stored XSS.This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 7.7 | 0.01% | 2025-10-14 | 2025-10-22 |
| CVE-2025-8430 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Commands Connectors configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 6.8 | 0.01% | 2025-10-14 | 2025-10-22 |
| CVE-2025-8429 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (ACL Action access configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 6.8 | 0.01% | 2025-10-14 | 2025-10-22 |
| CVE-2025-54893 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Hosts templates configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 6.8 | 0.01% | 2025-10-14 | 2025-10-22 |
| CVE-2025-8428 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (HTTP Loader widget modules) allows Stored XSS.This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 6.8 | 0.01% | 2025-10-14 | 2025-10-22 |
| CVE-2025-5946 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Centreon Infra Monitoring (Poller reload setup in the configuration modules) allows OS Command Injection. On the poller parameters page, a user with high privilege is able to concatenate custom instructions into the poller reload command. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 7.2 | 32.33% | 2025-10-14 | 2025-10-22 |
| CVE-2025-54892 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (SNMP traps group configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 6.8 | 0.01% | 2025-10-14 | 2025-10-22 |
| CVE-2025-54891 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (ACL Resource access configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 6.8 | 0.01% | 2025-10-14 | 2025-10-21 |
| CVE-2025-54889 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (SNMP traps manufacturer configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 6.8 | 0.01% | 2025-10-14 | 2025-10-21 |
| CVE-2025-6791 | In the monitoring event logs page, it is possible to alter the http request to insert a reflect payload in the DB. Caused by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon web (Monitoring event logs modules) allows SQL Injection.This issue affects web: 24.10.0, 24.04.0, 23.10.0. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 8.8 | 0.05% | 2025-08-22 | 2025-10-22 |
| CVE-2025-4650 | User with high privileges is able to introduce a SQLi using the Meta Service indicator page. Caused by an Improper Neutralization of Special Elements used in an SQL Command.This issue affects web: from 24.10.0 before 24.10.9, from 24.04.0 before 24.04.16, from 23.10.0 before 23.10.26. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 7.2 | 0.07% | 2025-08-22 | 2025-10-22 |
| CVE-2025-4649 | Improper Handling of Exceptional Conditions vulnerability in Centreon web allows Privilege Escalation. ACL are not correctly taken into account in the display of the "event logs" page. This page requiring, high privileges, will display all available logs. This issue affects web: from 24.10.3 before 24.10.4, from 24.04.09 before 24.04.10, from 23.10.19 before 23.10.21, from 23.04.24 before 23.04.26. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 4.9 | 0.17% | 2025-05-13 | 2025-10-22 |
| CVE-2025-4648 | The content of a SVG file, received as input in Centreon web, was not properly checked. Allows Reflected XSS. A user with elevated privileges can inject JS script by altering the content of a SVG media, during the submit request. This issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29. | bd4443e6-1eef-43f3-9886-25fc9ceeaae7 | 8.4 | 0.29% | 2025-05-13 | 2025-10-22 |