Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-27406

CVE-2025-27406: Icinga Reporting XSS Vulnerability

CVE-2025-27406 is a cross-site scripting flaw in Icinga Reporting that allows attackers to embed malicious JavaScript in templates. This post covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2025-27406 Overview

CVE-2025-27406 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Icinga Reporting module, the central reporting component for the Icinga Web 2 monitoring framework. Affected versions 0.10.0 through 1.0.2 allow an authenticated user to configure a report template that embeds arbitrary JavaScript. The injected script executes in two contexts: in the browser of any user previewing the template, and inside the headless browser used to render reports to PDF. Maintainers resolved the issue in Icinga Reporting version 1.0.3.

Critical Impact

Attackers with template configuration privileges can execute arbitrary JavaScript in victim browser sessions or inside the headless PDF renderer, leading to session hijacking, data exfiltration, and lateral access across the monitoring environment.

Affected Products

  • Icinga Reporting module versions 0.10.0 through 1.0.2
  • Icinga Web 2 deployments using the Reporting module for scheduled or ad-hoc reports
  • Headless browser rendering pipelines that consume Icinga Reporting templates for PDF export

Discovery Timeline

  • 2025-03-26 - CVE-2025-27406 published to the National Vulnerability Database
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-27406

Vulnerability Analysis

The Icinga Reporting module accepts template definitions that are later rendered into HTML for both interactive preview and PDF export. The template processing path fails to sanitize or contextually encode user-supplied content before inserting it into the rendered output. An attacker who can create or modify a template can embed <script> tags or JavaScript event handlers that are stored persistently and executed each time the template is rendered.

Exploitation requires high privileges and user interaction, since the attacker must be authorized to manage report templates and a victim must preview the template or trigger a PDF export. The scope is changed because the injected script runs in the security context of the previewing user or inside the headless browser used for PDF generation, which often runs with elevated access to backend services.

Root Cause

The root cause is improper neutralization of input during web page generation [CWE-79]. Template fields intended for display configuration are rendered into the document object model (DOM) without HTML entity encoding or a strict Content Security Policy (CSP), allowing arbitrary script content to be treated as executable markup.

Attack Vector

An attacker with template management privileges crafts a malicious template containing JavaScript payloads in fields that are reflected into the rendered report. When a legitimate user previews the template, the script executes in that user's authenticated session against the Icinga Web 2 origin. When the report is exported to PDF, the headless browser renders the same payload, allowing the attacker to act in the context of the rendering process, which may have network access to internal monitoring data and credentials.

No verified public exploit code is available. See the GitHub Security Advisory GHSA-7qvq-54vm-r7hx for the maintainer write-up.

Detection Methods for CVE-2025-27406

Indicators of Compromise

  • Report templates containing <script> tags, javascript: URIs, or DOM event handler attributes such as onerror, onload, or onclick
  • Unexpected outbound HTTP requests from the headless browser process used for PDF generation
  • Audit log entries showing template creation or modification by accounts that do not normally manage reports

Detection Strategies

  • Review the Icinga Reporting database tables and stored template definitions for HTML or JavaScript payloads outside expected formatting tags
  • Inspect web server logs for anomalous requests originating from the PDF rendering worker, which may indicate exfiltration via injected scripts
  • Correlate template modification events with subsequent preview or export requests by privileged users

Monitoring Recommendations

  • Enable and centralize audit logging for all Icinga Web 2 administrative actions, especially template create, update, and delete operations
  • Monitor the headless browser host for unexpected DNS lookups, outbound connections, or process behavior during report rendering
  • Alert on access to the Reporting module by accounts that have not previously interacted with it

How to Mitigate CVE-2025-27406

Immediate Actions Required

  • Upgrade the Icinga Reporting module to version 1.0.3 or later on all Icinga Web 2 instances
  • Audit existing templates for embedded scripts, suspicious HTML attributes, or unexpected external resource references and remove them
  • Restrict template management permissions to a minimal set of trusted administrators until the upgrade is complete

Patch Information

The vulnerability is fixed in Icinga Reporting 1.0.3. Release artifacts and changelog are published at the Icinga Reporting Module Release page. Administrators should follow the standard Icinga Web 2 module upgrade procedure and restart the web server and any headless rendering workers after deployment.

Workarounds

  • Review every existing report template and remove suspicious settings, embedded HTML, or JavaScript content as recommended in the upstream advisory
  • Revoke template management privileges from non-essential accounts until patching is complete
  • Isolate the headless browser used for PDF rendering on a network segment with no access to sensitive internal services
bash
# Upgrade the Icinga Reporting module via the Icinga Web 2 CLI
icingacli module disable reporting
# Replace the module directory with the v1.0.3 release
curl -L https://github.com/Icinga/icingaweb2-module-reporting/archive/refs/tags/v1.0.3.tar.gz -o reporting-1.0.3.tar.gz
tar -xzf reporting-1.0.3.tar.gz -C /usr/share/icingaweb2/modules/ --strip-components=1
icingacli module enable reporting
icingacli module list | grep reporting

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne