This vulnerability is a critical Server-Side Template Injection (SSTI) in Centreon's centreon-open-tickets module that leads to Remote Code Execution. The message_confirm field is stored without sanitization and rendered via Smarty with no security policy enabled, allowing any authenticated user, to inject and execute arbitrary code on the server. This results in disclosure of environment secrets and could impact platform availability of Centreon Infra Monitoring product.
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
| Link | Providers |
|---|---|
| https://github.com/centreon/centreon/releases |
|
History
Mon, 13 Jul 2026 08:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | This vulnerability is a critical Server-Side Template Injection (SSTI) in Centreon's centreon-open-tickets module that leads to Remote Code Execution. The message_confirm field is stored without sanitization and rendered via Smarty with no security policy enabled, allowing any authenticated user, to inject and execute arbitrary code on the server. This results in disclosure of environment secrets and could impact platform availability of Centreon Infra Monitoring product. | |
| Title | A user with low privileges can inject SSTI templates that can lead to RCE in open-tickets | |
| Weaknesses | CWE-94 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: Centreon
Published:
Updated: 2026-07-13T08:19:13.094Z
Reserved: 2026-07-02T08:14:59.645Z
Link: CVE-2026-14453
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses