Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ password parameter.
nagios nagios xi 5.6.11