CVE-2016-2056

high

Published 2016-04-13 · Modified 2026-05-06

CVSS v3

8.8

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2

6.5

VIR risk

8.8

Description

xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the adduser_name argument in (1) web/useradm.c or (2) web/chpasswd.c.

Predictions

Exploit likelihood

92%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-2056

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://sourceforge.net/p/xymon/code/7892/

OS impact

OS	Version	Status	Fixed in
debian	8.0	affected
debian	bookworm	fixed	`4.3.25-1`
debian	bullseye	fixed	`4.3.25-1`
debian	forky	fixed	`4.3.25-1`
debian	sid	fixed	`4.3.25-1`
debian	trixie	fixed	`4.3.25-1`

Application impact

Vendor	Product	Versions
xymon	xymon	`4.1.0`
xymon	xymon	`4.1.1`
xymon	xymon	`4.1.2`
xymon	xymon	`4.2`
xymon	xymon	`4.2.0`
xymon	xymon	`4.2.2`
xymon	xymon	`4.2.3`
xymon	xymon	`4.3.0`
xymon	xymon	`4.3.1`
xymon	xymon	`4.3.2`
xymon	xymon	`4.3.3`
xymon	xymon	`4.3.4`
xymon	xymon	`4.3.5`
xymon	xymon	`4.3.6`
xymon	xymon	`4.3.7`
xymon	xymon	`4.3.8`
xymon	xymon	`4.3.9`
xymon	xymon	`4.3.10`
xymon	xymon	`4.3.11`
xymon	xymon	`4.3.12`
xymon	xymon	`4.3.13`
xymon	xymon	`4.3.14`
xymon	xymon	`4.3.15`
xymon	xymon	`4.3.16`
xymon	xymon	`4.3.17`
xymon	xymon	`4.3.18`
xymon	xymon	`4.3.19`
xymon	xymon	`4.3.20`
xymon	xymon	`4.3.21`
xymon	xymon	`4.3.22`
xymon	xymon	`4.3.23`
xymon	xymon	`4.3.24`

References

CWEs

CWE-77

Verify integrity in audit chain (admin only). AS-IS.