Nagios Support Forum

Hi Everyone,

You're probably already aware, but the current version of NCPA contains a version of python which is affected by some recently published CVEs.

More details here.

https://github.com/NagiosEnterprises/ncpa/issues/1341


Hopefully we get a new version asap.

Thanks,


Peter.

Hi @proddan,

Thanks for bringing this to our attention.

NCPA 3.2.3 which was released last week, shipped with the latest version of python3.13 that is currently available 3.13.11. It is also not immediately clear if updating to 3.14.2 or 3.15.0 (pre-release) would fix the vulnerabilities as the affected python versions in the CVE's are unspecified.

It's going to be at least a month before the next NCPA release. In the meantime, you can always download the source code for NCPA and build your own binaries with whatever version of python you like.

Hi,

I have upgraded the NCPA agent to version 3.3.1, but Windows Defender still reports a vulnerability related to Python:

CVE-2026-4519
CVE-2024-12797
CVE-2026-4224
CVE-2026-3644
CVE-2026-2297

We use the NCPA agent solely to monitor machines and alert us if there are any issues with services—nothing more. This may not be the most appropriate question, but for this type of use, is Python actually exploitable within the NCPA agent, or are the vulnerabilities being flagged simply because Python is bundled with it? Also, while the previous vulnerabilities were addressed after the agent upgrade, new ones have appeared. Does this mean we should expect vulnerabilities to be reported on a monthly basis?

Thank you in advance for any answer

Hi,

We are dependent on Windows to update python in this case, and fortunately they just did. The next release of NCPA should have this vulnerability resolved.

Aaron