xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the adduser_name argument in (1) web/useradm.c or (2) web/chpasswd.c.
Loading...
Loading...
Score 8.8 from GitHub Security Advisory (severity: HIGH) published 2022-05-14. NVD baseline CVSS 8.8; sources differ by 0.0.
xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the adduser_name argument in (1) web/useradm.c or (2) web/chpasswd.c.
April 13, 2016
May 6, 2026
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Working exploit code is in the public domain (1 Metasploit module) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
Xymon 4.3.25 - useradm Command Execution (Metasploit)
Open source ↗Xymon useradm Command Execution
Open source ↗See which npm, PyPI, Go, and Maven packages are affected by CVE-2016-2056
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.