Back in early 2019, I researched Nagios XI and found some serious flaws. But I felt I left a large stone unturned. A chunk of the PHP code base was protected by SourceGuardian, so I couldn’t audit 65 files.
http://medium.com/tenable-techblog/dumping-php-opcodes-protected-by-sourceguardian-a0acd8058038
http://medium.com/tenable-techblog/dumping-php-opcodes-protected-by-sourceguardian-a0acd8058038