CVE-2023-38349 (https://github.com/pnp4nagios/pnp4nagios/pull/17): PNP4Nagios through 81ebfc5 lacks CSRF protection in the AJAX controller. This affects 0.6.26. CVE-2023-38350 (https://github.com/pnp4nagios/pnp4nagios/pull/16): PNP4Nagios through 81ebfc5 has stored XSS in the AJAX controller via the basket API and filters. This affects 0.6.26. 38350's reference doesn't seem relevant, but 38349's reference claims: "There is a fork named pnp (v0.6.42) where it is solved. I guess pnp4nagios will no longer be maintained."