By vendor

Checkmk vulnerabilities

Known CVEs affecting Checkmk products, prioritized by severity, with SEC.co remediation and detection guidance.

5 published vulnerabilities

  • CVE-2026-7186MEDIUM 5.4

    A stored cross-site scripting (XSS) vulnerability exists in Checkmk's URL dashboard widget that allows authenticated users with dashboard editing permissions to inject malicious scripts. When other users view an affected dashboard, these scripts execute in their browsers without their knowledge. The vulnerability affects Checkmk versions before 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions. An attacker needs valid Checkmk credentials and dashboard edit access to exploit this flaw.

  • CVE-2026-8833MEDIUM 5.4

    Checkmk versions before 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 releases contain a flaw in how they validate URLs. An authenticated attacker can craft a malicious link using HTML encoding tricks to bypass the validation system and inject harmful URLs—such as javascript: links—into the application. When another user clicks or interacts with the crafted link, it can execute arbitrary JavaScript in their browser, compromising their session and data.

  • CVE-2026-7765MEDIUM 5.3

    Checkmk contains a flaw in how it controls access to user messages through its dashboard feature. When someone shares a dashboard using a public token, the system incorrectly returns messages belonging to the dashboard creator instead of the person viewing it. An attacker who obtains a valid share token can bypass normal access controls and read the creator's private messages directly from the underlying API endpoints—even if no User Messages widget is visible on the dashboard itself. This is an authorization bypass that leaks sensitive information.

  • CVE-2026-8078MEDIUM 4.8

    Checkmk versions before 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 releases contain a stored cross-site scripting (XSS) vulnerability in the global settings change log. An administrator with permission to modify global settings can inject malicious HTML or JavaScript into changelog messages. When other users view the Activate Changes page or Audit log, this malicious code executes in their browsers, potentially compromising their sessions or stealing information.

  • CVE-2026-9549MEDIUM 4.8

    Checkmk versions before 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 releases contain a stored cross-site scripting vulnerability in the service discovery active check output feature. An administrator with the ability to configure active or custom checks can inject malicious HTML or JavaScript that will execute in the browsers of other administrators or users with host read permissions when they view or run checks on the service discovery page. The attack is persistent—the injected code remains in the system until removed.