CVE-2016-9259 Tenable CVE debrief

Who should care

Tenable Nessus administrators, vulnerability management teams, and security operators who allow authenticated users to access the Nessus web interface should prioritize this advisory. It is especially relevant in shared environments or any deployment where lower-trust users can log in to Nessus.

Technical summary

NVD classifies this issue as CWE-79 (Cross-Site Scripting) with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, scoring 5.4 (Medium). The affected product is Tenable Nessus, with NVD listing vulnerable CPE entries for versions 6.8, 6.8.1, 6.8.2, and 6.9. The published description states that authenticated remote users can inject arbitrary web script or HTML, with the exact injection vectors not specified in the supplied record.

Defensive priority

Medium. Patch promptly if you operate Nessus 6.9 or earlier, especially where multiple authenticated users, delegated access, or less-trusted operators can use the web UI.

Recommended defensive actions

• Upgrade Tenable Nessus to version 6.9.1 or later, as identified in the published advisory and CVE description.
• Restrict authenticated access to the Nessus web interface to only trusted administrators and operators.
• Review role-based access and account hygiene so lower-trust users cannot reach unnecessary management functions.
• Reconfirm that any deployed Nessus instances or scanners are on a fixed version, including centrally managed installations.
• Monitor the Nessus vendor advisory and your internal patch status to ensure the remediation is fully applied.

Evidence notes

The CVE record was published on 2017-02-28 and last modified on 2026-05-13 in the supplied NVD data. The supplied sources identify the weakness as CWE-79 and provide the CVSS 3.0 vector and score. NVD also lists affected Nessus CPEs for 6.8, 6.8.1, 6.8.2, and 6.9. The Tenable advisory reference is included in the official CVE references, but the supplied corpus does not provide its full text.

Official resources