We released a security update for Icinga PHP Library. It solves a severe cross-site scripting attack vulnerability and affects multiple Icinga products at once. It has been published as GHSA-55wf-5m3q-6jjf.
Installing the update v0.19.2 as soon as possible is highly recommended. Packages are available now.
An attacker needs to lure a victim on any familiar looking but malicious website and the attack can be prepared in the background, causing a browser tab to open, leading the user to a compromised instance of Icinga Web.
In case CSP (Content-Security-Policy) is enabled in Icinga Web (available since v2.12.0) or a browser is in use that provides a default value for the cookie attributeSameSite other than None, the attack can be effectively mitigated.
Icinga 2.16.0 and 2.15.3:
The new releases introduce OpenTelemetry support, improved performance through streaming responses, and several bug fixes.
Since the notes are a bit longer, I’ll just redirect you to the blog
Hi, I’m not sure how you came to think we support 3 versions. It was always only about the latest and the one prior. Right now, that’s v2.16 and v2.15.
Edit: Of course, sometimes we provide backports way further, but not always and only in case of very severe vulnerabilities or specific demand by one of our partners.
So the current major and the previous major are supported. Older Majors are also getting updates on large security problems, like 1.5 years ago with 2.14.3, 2.13.10, 2.12.11 and 2.11.12
We only guarantee releases for the past 2 versions, the ones you can see in the matrix linked by the others above.
It’s always possible that we backport further, but officially we only support those.
But also in the Icinga for Windows repo you linked, you can see that the most recent patch from 2026-04-23 was only the 2.15.x and 2.16.x
