A SQL injection issue exists in Nagios XI prior to 5.4.13 via the admin/commandline.php cname parameter.
nagios nagios xi