MEDIUM 5.4

CVE-2026-7186: Stored XSS in Checkmk Dashboard Widget – Patch Now

A stored cross-site scripting (XSS) vulnerability exists in Checkmk's URL dashboard widget that allows authenticated users with dashboard editing permissions to inject malicious scripts. When other users view an affected dashboard, these scripts execute in their browsers without their knowledge. The vulnerability affects Checkmk versions before 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions. An attacker needs valid Checkmk credentials and dashboard edit access to exploit this flaw.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
157 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

Stored cross-site scripting in the URL dashboard widget in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the dashboard.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is a stored XSS flaw (CWE-79) in the URL dashboard widget component. It occurs because the widget fails to properly sanitize or validate dangerous URI schemes—such as javascript:—before storing and rendering user-supplied URLs. When a dashboard is displayed to other users, the malicious URI executes in their browser context, potentially allowing session hijacking, credential theft, or lateral movement within the monitoring infrastructure. The attack requires network access to the Checkmk instance and valid authentication with dashboard editing privileges.

Business impact

For organizations relying on Checkmk for infrastructure monitoring, this vulnerability creates insider threat and privilege escalation risks. A compromised or malicious admin account could deploy XSS payloads across dashboards viewed by security teams, operations staff, and executives. This could lead to credential harvesting, unauthorized access to sensitive monitoring data, or disruption of incident response workflows. The impact is amplified in multi-tenant or shared Checkmk environments where dashboard visibility is broad.

Affected systems

Checkmk versions affected include: all 2.2.0 versions, 2.3.0 before patch 48, 2.4.0 before patch 31, and 2.5.0 before patch 5. Organizations using any of these versions with active dashboard widgets containing URLs are at risk. The vulnerability does not affect patched versions: 2.3.0p48 and later, 2.4.0p31 and later, or 2.5.0p5 and later.

Exploitability

Exploitability is moderate. The attack requires an authenticated user with dashboard editing privileges, which limits the attacker pool within most organizations. However, many Checkmk deployments grant broad dashboard editing access to multiple team members. No user interaction is required from victims beyond normal dashboard viewing. The vulnerability is network-accessible and trivial to execute once permissions are obtained—simply embedding a javascript: URI in a URL widget is sufficient. It has not been added to the CISA KEV catalog.

Remediation

Immediately patch Checkmk to a fixed version: 2.3.0p48, 2.4.0p31, 2.5.0p5, or later. If immediate patching is not possible, restrict dashboard editing permissions to a minimal trusted group and audit existing dashboards for suspicious URLs or URI schemes. Consider implementing a Web Application Firewall (WAF) rule to block dashboard requests containing javascript: or other dangerous schemes if the Checkmk instance is internet-facing.

Patch guidance

Apply the latest available patch for your Checkmk release branch. For version 2.2.0 users: migration to 2.3.0p48 or higher is required, as 2.2.0 is no longer patched. For 2.3.x users: update to 2.3.0p48 or later. For 2.4.x users: update to 2.4.0p31 or later. For 2.5.x users: update to 2.5.0p5 or later. Test patches in a non-production environment before deployment to ensure compatibility with custom dashboards and integrations. Verify against official Checkmk release notes to confirm patch applicability.

Detection guidance

Review dashboard widget configurations and audit the creation/modification dates of URL widgets, particularly those created or modified after the vulnerability publication date (June 8, 2026). Look for URLs containing suspicious URI schemes (javascript:, data:, vbscript:) or obfuscated payloads. Monitor Checkmk access logs for unusual dashboard editing activity by privileged accounts. Inspect browser console logs on client machines for XSS errors or unexpected script execution after viewing Checkmk dashboards. Consider scanning dashboard configurations for regex patterns matching dangerous URI schemes.

Why prioritize this

This vulnerability merits prompt attention despite its MEDIUM CVSS score because it combines stored persistence (difficult to detect in real-time), broad victim exposure (any dashboard viewer), and exploitation simplicity. In environments where dashboards are frequently accessed by security teams, the risk of credential or session compromise is elevated. The threat is amplified if your organization has high dashboard editing privileges or operates a shared Checkmk instance. However, the requirement for authenticated access and editing permissions lowers urgency compared to unauthenticated RCE flaws. Prioritize patching if dashboards are widely shared or contain links to sensitive systems.

Risk score, explained

The CVSS 3.1 score of 5.4 (MEDIUM) reflects: low attack vector complexity (simple URL injection), requirement for valid user credentials (raises attack complexity), cross-site scope (potential lateral impact), and limited damage (confidentiality and integrity impact, no availability loss). The score appropriately accounts for the authenticated prerequisite. However, business context matters: in high-privilege environments or with broad dashboard sharing, the practical risk exceeds the base score. The absence of public exploitation and KEV status suggests limited real-world weaponization to date.

Frequently asked questions

Can an attacker exploit this without valid Checkmk credentials?

No. The vulnerability requires authentication and active dashboard editing permissions. An attacker must have a valid user account in Checkmk and sufficient privileges to modify dashboard widgets. This significantly limits the threat surface compared to unauthenticated vulnerabilities.

What happens if I patch only some Checkmk instances in my environment?

Patched instances will be protected from new XSS injections via the URL widget. However, unpatched instances remain vulnerable and could be used to spread malicious dashboards. If dashboards are synchronized or shared across instances, ensure all instances are patched simultaneously to prevent cross-instance exploitation.

How can I quickly identify if our dashboards contain malicious URLs?

Export your dashboard configuration or query the Checkmk database for URL widgets. Search for URI schemes like javascript:, data:, vbscript:, or encoded variants. Additionally, check dashboard creation/modification logs between June 8, 2026, and your patch date for suspicious activity by privileged users.

Does this vulnerability require end-user interaction to exploit?

The vulnerability is stored and executes automatically when a victim views an affected dashboard. No end-user action beyond normal dashboard viewing is required. This makes it more dangerous than reflected XSS variants.

This analysis is based on CVE-2026-7186 source data and CVSS 3.1 scoring. Specific patch versions and affected releases should be verified against official Checkmk security advisories and vendor documentation. Patch testing in your environment is mandatory before production deployment. SEC.co does not endorse any specific remediation timeline; your organization's risk tolerance and operational constraints should determine urgency. No exploit code or weaponized proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).