Improper input validation in Nagios Fusion 4.1.8 and earlier allows a remote attacker with control over a fused server to inject arbitrary HTML, aka XSS.
https://www.nagios.com/downloads/nagios-xi/change-log/
https://skylightcyber.com/2021/05/20/13-nagios-vulnerabilities-7-will-shock-you/