CVE-2026-14453
A user with low privileges can inject SSTI templates that can lead to RCE in open-tickets
CVSS Score
9.6
EPSS Score
0.5%
EPSS Percentile
38th
This vulnerability is a critical Server-Side Template Injection (SSTI) in Centreon's centreon-open-tickets module that leads to Remote Code Execution. The message_confirm field is stored without sanitization and rendered via Smarty with no security policy enabled, allowing any authenticated user, to inject and execute arbitrary code on the server. This results in disclosure of environment secrets and could impact platform availability of Centreon Infra Monitoring product.
| CWE | CWE-94 |
| Vendor | centreon |
| Product | infra monitoring |
| Published | Jul 13, 2026 |
| Last Updated | Jul 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for centreon infra monitoring
Be the first to know when new critical vulnerabilities affecting centreon infra monitoring are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
High
Affected Versions
Centreon / Infra Monitoring
24.10.0 < 24.10.14 25.10.0 < 25.10.9
References
Credits
Matteo BEZET TORRES