Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ username parameter.
nagios nagios xi 5.6.11