CVE-2026-7186: Stored XSS in Checkmk Dashboard Widget – Patch Now
A stored cross-site scripting (XSS) vulnerability exists in Checkmk's URL dashboard widget that allows authenticated users with dashboard editing permissions to inject malicious scripts. When other users view an affected dashboard, these scripts execute in their browsers without their knowledge. The vulnerability affects Checkmk versions before 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions. An attacker needs valid Checkmk credentials and dashboard edit access to exploit this flaw.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 157 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
Stored cross-site scripting in the URL dashboard widget in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the dashboard.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability is a stored XSS flaw (CWE-79) in the URL dashboard widget component. It occurs because the widget fails to properly sanitize or validate dangerous URI schemes—such as javascript:—before storing and rendering user-supplied URLs. When a dashboard is displayed to other users, the malicious URI executes in their browser context, potentially allowing session hijacking, credential theft, or lateral movement within the monitoring infrastructure. The attack requires network access to the Checkmk instance and valid authentication with dashboard editing privileges.
Business impact
For organizations relying on Checkmk for infrastructure monitoring, this vulnerability creates insider threat and privilege escalation risks. A compromised or malicious admin account could deploy XSS payloads across dashboards viewed by security teams, operations staff, and executives. This could lead to credential harvesting, unauthorized access to sensitive monitoring data, or disruption of incident response workflows. The impact is amplified in multi-tenant or shared Checkmk environments where dashboard visibility is broad.
Affected systems
Checkmk versions affected include: all 2.2.0 versions, 2.3.0 before patch 48, 2.4.0 before patch 31, and 2.5.0 before patch 5. Organizations using any of these versions with active dashboard widgets containing URLs are at risk. The vulnerability does not affect patched versions: 2.3.0p48 and later, 2.4.0p31 and later, or 2.5.0p5 and later.
Exploitability
Exploitability is moderate. The attack requires an authenticated user with dashboard editing privileges, which limits the attacker pool within most organizations. However, many Checkmk deployments grant broad dashboard editing access to multiple team members. No user interaction is required from victims beyond normal dashboard viewing. The vulnerability is network-accessible and trivial to execute once permissions are obtained—simply embedding a javascript: URI in a URL widget is sufficient. It has not been added to the CISA KEV catalog.
Remediation
Immediately patch Checkmk to a fixed version: 2.3.0p48, 2.4.0p31, 2.5.0p5, or later. If immediate patching is not possible, restrict dashboard editing permissions to a minimal trusted group and audit existing dashboards for suspicious URLs or URI schemes. Consider implementing a Web Application Firewall (WAF) rule to block dashboard requests containing javascript: or other dangerous schemes if the Checkmk instance is internet-facing.
Patch guidance
Apply the latest available patch for your Checkmk release branch. For version 2.2.0 users: migration to 2.3.0p48 or higher is required, as 2.2.0 is no longer patched. For 2.3.x users: update to 2.3.0p48 or later. For 2.4.x users: update to 2.4.0p31 or later. For 2.5.x users: update to 2.5.0p5 or later. Test patches in a non-production environment before deployment to ensure compatibility with custom dashboards and integrations. Verify against official Checkmk release notes to confirm patch applicability.
Detection guidance
Review dashboard widget configurations and audit the creation/modification dates of URL widgets, particularly those created or modified after the vulnerability publication date (June 8, 2026). Look for URLs containing suspicious URI schemes (javascript:, data:, vbscript:) or obfuscated payloads. Monitor Checkmk access logs for unusual dashboard editing activity by privileged accounts. Inspect browser console logs on client machines for XSS errors or unexpected script execution after viewing Checkmk dashboards. Consider scanning dashboard configurations for regex patterns matching dangerous URI schemes.
Why prioritize this
This vulnerability merits prompt attention despite its MEDIUM CVSS score because it combines stored persistence (difficult to detect in real-time), broad victim exposure (any dashboard viewer), and exploitation simplicity. In environments where dashboards are frequently accessed by security teams, the risk of credential or session compromise is elevated. The threat is amplified if your organization has high dashboard editing privileges or operates a shared Checkmk instance. However, the requirement for authenticated access and editing permissions lowers urgency compared to unauthenticated RCE flaws. Prioritize patching if dashboards are widely shared or contain links to sensitive systems.
Risk score, explained
The CVSS 3.1 score of 5.4 (MEDIUM) reflects: low attack vector complexity (simple URL injection), requirement for valid user credentials (raises attack complexity), cross-site scope (potential lateral impact), and limited damage (confidentiality and integrity impact, no availability loss). The score appropriately accounts for the authenticated prerequisite. However, business context matters: in high-privilege environments or with broad dashboard sharing, the practical risk exceeds the base score. The absence of public exploitation and KEV status suggests limited real-world weaponization to date.
Frequently asked questions
Can an attacker exploit this without valid Checkmk credentials?
No. The vulnerability requires authentication and active dashboard editing permissions. An attacker must have a valid user account in Checkmk and sufficient privileges to modify dashboard widgets. This significantly limits the threat surface compared to unauthenticated vulnerabilities.
What happens if I patch only some Checkmk instances in my environment?
Patched instances will be protected from new XSS injections via the URL widget. However, unpatched instances remain vulnerable and could be used to spread malicious dashboards. If dashboards are synchronized or shared across instances, ensure all instances are patched simultaneously to prevent cross-instance exploitation.
How can I quickly identify if our dashboards contain malicious URLs?
Export your dashboard configuration or query the Checkmk database for URL widgets. Search for URI schemes like javascript:, data:, vbscript:, or encoded variants. Additionally, check dashboard creation/modification logs between June 8, 2026, and your patch date for suspicious activity by privileged users.
Does this vulnerability require end-user interaction to exploit?
The vulnerability is stored and executes automatically when a victim views an affected dashboard. No end-user action beyond normal dashboard viewing is required. This makes it more dangerous than reflected XSS variants.
This analysis is based on CVE-2026-7186 source data and CVSS 3.1 scoring. Specific patch versions and affected releases should be verified against official Checkmk security advisories and vendor documentation. Patch testing in your environment is mandatory before production deployment. SEC.co does not endorse any specific remediation timeline; your organization's risk tolerance and operational constraints should determine urgency. No exploit code or weaponized proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-8078MEDIUMStored XSS in Checkmk Global Settings Audit Log
- CVE-2026-8833MEDIUMCheckmk URL Validation Bypass & XSS Vulnerability
- CVE-2026-9549MEDIUMStored XSS in Checkmk Service Discovery – Patch Guidance
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk