Hi Everyone,
You're probably already aware, but the current version of NCPA contains a version of python which is affected by some recently published CVEs.
More details here.
https://github.com/NagiosEnterprises/ncpa/issues/1341
Hopefully we get a new version asap.
Thanks,
Peter.
NCPA Python vulnerabilities
Re: NCPA Python vulnerabilities
Hi @proddan,
Thanks for bringing this to our attention.
NCPA 3.2.3 which was released last week, shipped with the latest version of python3.13 that is currently available 3.13.11. It is also not immediately clear if updating to 3.14.2 or 3.15.0 (pre-release) would fix the vulnerabilities as the affected python versions in the CVE's are unspecified.
It's going to be at least a month before the next NCPA release. In the meantime, you can always download the source code for NCPA and build your own binaries with whatever version of python you like.
Thanks for bringing this to our attention.
NCPA 3.2.3 which was released last week, shipped with the latest version of python3.13 that is currently available 3.13.11. It is also not immediately clear if updating to 3.14.2 or 3.15.0 (pre-release) would fix the vulnerabilities as the affected python versions in the CVE's are unspecified.
It's going to be at least a month before the next NCPA release. In the meantime, you can always download the source code for NCPA and build your own binaries with whatever version of python you like.
Cheers,
- Cole
- Cole
-
Terminator
- Posts: 1
- Joined: Fri Apr 10, 2026 2:57 am
Re: NCPA Python vulnerabilities
Hi,
I have upgraded the NCPA agent to version 3.3.1, but Windows Defender still reports a vulnerability related to Python:
CVE-2026-4519
CVE-2024-12797
CVE-2026-4224
CVE-2026-3644
CVE-2026-2297
We use the NCPA agent solely to monitor machines and alert us if there are any issues with services—nothing more. This may not be the most appropriate question, but for this type of use, is Python actually exploitable within the NCPA agent, or are the vulnerabilities being flagged simply because Python is bundled with it? Also, while the previous vulnerabilities were addressed after the agent upgrade, new ones have appeared. Does this mean we should expect vulnerabilities to be reported on a monthly basis?
Thank you in advance for any answer
I have upgraded the NCPA agent to version 3.3.1, but Windows Defender still reports a vulnerability related to Python:
CVE-2026-4519
CVE-2024-12797
CVE-2026-4224
CVE-2026-3644
CVE-2026-2297
We use the NCPA agent solely to monitor machines and alert us if there are any issues with services—nothing more. This may not be the most appropriate question, but for this type of use, is Python actually exploitable within the NCPA agent, or are the vulnerabilities being flagged simply because Python is bundled with it? Also, while the previous vulnerabilities were addressed after the agent upgrade, new ones have appeared. Does this mean we should expect vulnerabilities to be reported on a monthly basis?
Thank you in advance for any answer
-
DoubleDoubleA
- Posts: 292
- Joined: Thu Feb 09, 2017 5:07 pm
Re: NCPA Python vulnerabilities
Hi,
We are dependent on Windows to update python in this case, and fortunately they just did. The next release of NCPA should have this vulnerability resolved.
Aaron
We are dependent on Windows to update python in this case, and fortunately they just did. The next release of NCPA should have this vulnerability resolved.
Aaron