In Nagios XI prior to 5.7.3, ajaxhelper.php allows remote authenticated malicious users to execute arbitrary commands via cmdsubsys.
nagios nagios xi