๐Ÿ” CVE Alert

CVE-2026-14453

CRITICAL 9.6

A user with low privileges can inject SSTI templates that can lead to RCE in open-tickets

CVSS Score
9.6
EPSS Score
0.5%
EPSS Percentile
38th

This vulnerability is a critical Server-Side Template Injection (SSTI) in Centreon's centreon-open-tickets module that leads to Remote Code Execution. The message_confirm field is stored without sanitization and rendered via Smarty with no security policy enabled, allowing any authenticated user, to inject and execute arbitrary code on the server. This results in disclosure of environment secrets and could impact platform availability of Centreon Infra Monitoring product.

CWE CWE-94
Vendor centreon
Product infra monitoring
Published Jul 13, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for centreon infra monitoring

Be the first to know when new critical vulnerabilities affecting centreon infra monitoring are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
High

Affected Versions

Centreon / Infra Monitoring
24.10.0 < 24.10.14 25.10.0 < 25.10.9

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/centreon/centreon/releases

Credits

Matteo BEZET TORRES