From the Changelog: "Fix for a potential cross site scripting vulnerability in the CGIs" I just committed nagios-(core-)2.10, nagios-2* hasn't been stable on any architecture. Not sure if nagios-1.* (currently stable) is also affected, if so nagios-2.10 is ready for stabilization from my pov.
Thx for the heads up Tobias. Seems like it only affects 2.x otherwise we'll have to reopen. So closing without GLSA for now.