Product
centreon web
57 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-2750
CVE-2026-2751
CVE-2025-12513
CVE-2025-13056
CVE-2025-12519
CVE-2025-5965
CVE-2025-54890
CVE-2025-10023
CVE-2025-8459
CVE-2025-8430
CVE-2025-8429
CVE-2025-54893
CVE-2025-8428
CVE-2025-5946
CVE-2025-54892
CVE-2025-54891
CVE-2025-54889
CVE-2025-6791
CVE-2025-4650
CVE-2025-4649
CVE-2025-4648
CVE-2025-4647
CVE-2025-4646
CVE-2025-3872
CVE-2024-55573
CVE-2024-53923
CVE-2024-39841
CVE-2024-33854
CVE-2024-33853
CVE-2024-33852
CVE-2024-32501
CVE-2024-5725
CVE-2024-5723
CVE-2023-51633
CVE-2024-23119
CVE-2024-23118
CVE-2024-23117
CVE-2024-23116
CVE-2024-23115
CVE-2024-0637
CVE-2021-26804
CVE-2019-15299
CVE-2019-15300
CVE-2019-15298
CVE-2019-16406
CVE-2019-16405
CVE-2019-17105
CVE-2019-17108
CVE-2019-17107
CVE-2019-17106
CVE-2018-21023
CVE-2018-21022
CVE-2018-21021
CVE-2018-21020
CVE-2018-11589
CVE-2018-11588
CVE-2018-11587
< 24.04.24
Improper Input Validation vulnerability in Centreon Open Tickets on Central Server on Linux (Centreon Open Tickets module
>= 24.04.0 and < 24.04.24.
Blind SQL Injection via unsanitized array keys in Service Dependencies deletion. Vulnerability in Centreon Web on Central
>= 24.04.0 and < 24.04.19
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monito
>= 24.04.0 and < 24.04.19
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monito
>= 24.04.0 and < 24.04.19
Missing Authorization vulnerability in Centreon Infra Monitoring (Administration parameters API endpoint modules) allows Accessing
>= 24.04.0 and < 24.04.19
In the backup parameters, a user with high privilege is able to concatenate custom instructions to the backup setup. Improper Neut
>= 23.10.0 and < 23.10.29
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monito
>= 23.10.0 and < 23.10.26
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monito
>= 23.10.0 and < 23.10.28
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monito
>= 23.10.0 and < 23.10.28
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monito
>= 23.10.0 and < 23.10.28
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monito
>= 23.10.0 and < 23.10.28
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monito
>= 23.10.0 and < 23.10.28
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monito
>= 23.10.0 and < 23.10.28
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Centreon Infra Monitor
>= 23.10.0 and < 23.10.28
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monito
>= 23.10.0 and < 23.10.28
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monito
>= 23.10.0 and < 23.10.28
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monito
>= 23.10.0 and < 23.10.26
In the monitoring event logs page, it is possible to alter the http request to insert a reflect payload in the DB. Caused by an Im
>= 23.10.0 and < 23.10.26
User with high privileges is able to introduce a SQLi using the Meta Service indicator page. Caused by an Improper Neutralization
>= 23.04.24 and < 23.04.26
Improper Handling of Exceptional Conditions vulnerability in Centreon web allows Privilege Escalation. ACL are not correctly ta
>= 22.10.0 and < 22.10.29
The content of a SVG file, received as input in Centreon web, was not properly checked. Allows Reflected XSS. A user with elevat
>= 22.10.0 and < 22.10.29
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon web allows R
>= 24.04.0 and < 24.04.10
Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue aff
>= 22.10.0 and < 22.10.28
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon centreon-web (User
>= 23.04.0 and < 23.04.24
An issue was discovered in Centreon centreon-web 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x before 23.10.19, 23.04.x
>= 23.04.0 and < 23.04.24
An issue was discovered in Centreon Web 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x before 23.10.19, 23.04.x before 23
>= 22.10.0 and < 22.10.23
A SQL Injection vulnerability exists in the service configuration functionality in Centreon Web 24.04.x before 24.04.3, 23.10.x be
>= 22.10.0 and < 22.10.23
A SQL Injection vulnerability exists in the Graph Template component in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.
>= 22.10.0 and < 22.10.23
A SQL Injection vulnerability exists in the Timeperiod component in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13,
>= 22.10.0 and < 22.10.23
A SQL Injection vulnerability exists in the Downtime component in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23
>= 22.10.0 and < 22.10.23
A SQL Injection vulnerability exists in the updateServiceHost functionality in Centreon Web 24.04.x before 24.04.3, 23.10.x before
< 22.10.23
Centreon initCurveList SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute ar
< 22.04.24
Centreon updateServiceHost SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execut
< 22.10.15
Centreon sysName Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute a
< 22.04.19
Centreon insertGraphTemplate SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to exec
< 22.04.19
Centreon updateContactHostCommands SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers t
< 22.04.19
Centreon updateContactServiceCommands SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attacker
< 22.04.19
Centreon updateLCARelation SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execut
< 22.04.19
Centreon updateGroups SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arb
< 22.04.19
Centreon updateDirectory SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute
all versions
Insecure Permissions in Centreon Web versions 19.10.18, 20.04.8, and 20.10.2 allows remote attackers to bypass validation by chang
<= 19.04.3
An issue was discovered in Centreon Web through 19.04.3. When a user changes his password on his profile page, the contact_autolog
>= 2.8.1 and < 2.8.30
A problem was found in Centreon Web through 19.04.3. An authenticated SQL injection is present in the page include/Administration/
>= 2.8.1 and < 2.8.30
A problem was found in Centreon Web through 19.04.3. An authenticated command injection is present in the page include/configurati
all versions
Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) fil
< 2.8.30
Centreon Web before 2.8.30, 18.10.x before 18.10.8, 19.04.x before 19.04.5 and 19.10.x before 19.10.2 allows Remote Code Execution
>= 2.8 and < 2.8.27
The token generator in index.php in Centreon Web before 2.8.27 is predictable.
>= 2.8 and < 2.8.28
Local file inclusion in brokerPerformance.php in Centreon Web before 2.8.28 allows attackers to disclose information or perform a
>= 2.8 and < 2.8.27
minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated attackers to execute arbitrary code via the command_hostaddr
<= 2.8.29
In Centreon Web through 2.8.29, disclosure of external components' passwords allows authenticated attackers to move laterally to e
>= 2.8 and < 2.8.28
getStats.php in Centreon Web before 2.8.28 allows authenticated attackers to execute arbitrary code via the ns_id parameter.
< 2.8.28
makeXML_ListServices.php in Centreon Web before 2.8.28 allows attackers to perform SQL injections via the host_id parameter.
< 2.8.27
img_gantt.php in Centreon Web before 2.8.27 allows attackers to perform SQL injections via the host_id parameter.
< 2.8.27
In very rare cases, a PHP type juggling vulnerability in centreonAuth.class.php in Centreon Web before 2.8.27 allows attackers to
all versions
Multiple SQL injection vulnerabilities in Centreon 3.4.6 including Centreon Web 2.8.23 allow attacks via the searchU parameter in
all versions
Centreon 3.4.6 including Centreon Web 2.8.23 is vulnerable to an authenticated user injecting a payload into the username or comma
all versions
There is Remote Code Execution in Centreon 3.4.6 including Centreon Web 2.8.23 via the RPN value in the Virtual Metric form in cen