XSS Vulnerability in Icinga PHP Library

by | Apr 22, 2026

Today we announce a security update for Icinga PHP Library. It solves a severe cross-site scripting attack vulnerability and affects multiple Icinga products at once. It has been published as GHSA-55wf-5m3q-6jjf.

Installing the update v0.19.2 as soon as possible is highly recommended. Packages are available now.

An attacker needs to lure a victim on any familiar looking but malicious website and the attack can be prepared in the background, causing a browser tab to open, leading the user to a compromised instance of Icinga Web.

In case CSP (Content-Security-Policy) is enabled in Icinga Web (available since v2.12.0) or a browser is in use that provides a default value for the cookie attribute SameSite other than None, the attack can be effectively mitigated.

You May Also Like…

 

Icinga TOTP Web 1.0.0 Release

Icinga TOTP Web 1.0.0 Release

We are releasing Icinga TOTP Web v1.0.0, which adds Time-based One-Time Password (TOTP) two-factor authentication to...

Subscribe to our Newsletter

A monthly digest of the latest Icinga news, releases, articles and community topics.