A stored XSS vulnerability in Nagios Log Server 2024R1.3.1 allows a low-privileged user to inject malicious JavaScript into the 'email' field of their profile. When an administrator views the audit logs, the script executes, resulting in privilege escalation via unauthorized admin account creation. The vulnerability can be chained to achieve remote code execution (RCE) in certain configurations.