CVE-2026-9549: Stored XSS in Checkmk Service Discovery – Patch Guidance
Checkmk versions before 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 releases contain a stored cross-site scripting vulnerability in the service discovery active check output feature. An administrator with the ability to configure active or custom checks can inject malicious HTML or JavaScript that will execute in the browsers of other administrators or users with host read permissions when they view or run checks on the service discovery page. The attack is persistent—the injected code remains in the system until removed.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.8 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 157 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
Stored cross-site scripting in the service discovery active check output in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an admin or a user with host read permissions when they run the check on the service discovery page.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This is a stored XSS vulnerability (CWE-79) affecting Checkmk's service discovery workflow. The vulnerability exists because user-supplied input from active check and custom check configurations is not properly sanitized before being displayed in the service discovery page output. An authenticated administrator can craft malicious check output that includes JavaScript payloads. When another authenticated user (admin or host-read-capable user) accesses the service discovery page to run or view checks, the stored payload executes in their browser context. The vulnerability requires high privilege (administrator role) to inject the payload and user interaction (viewing the service discovery page), limiting the attack surface but not eliminating the risk in multi-user environments.
Business impact
Organizations running vulnerable Checkmk deployments face session hijacking, credential theft, and privilege escalation risks. A malicious or compromised administrator account can inject payloads that harvest session tokens or perform actions on behalf of other users. In environments with shared administrative responsibilities, this creates lateral movement and persistence opportunities. Additionally, this vulnerability could be exploited by an insider with check configuration permissions to compromise monitoring operations and exfiltrate sensitive host or check data visible to affected users. The impact is confined to authenticated contexts but could undermine trust in the monitoring platform itself.
Affected systems
Vulnerable versions include Checkmk 2.5.0 (before patch 5), 2.4.0 (before patch 31), 2.3.0 (before patch 48), and all releases in the 2.2.0 branch. The vulnerability is present across all instances where active or custom check configuration is exposed to administrators. Verify your current version and patch level against the vendor's official release notes to confirm whether your deployment is affected.
Exploitability
The vulnerability requires administrative credentials to configure the malicious check, placing it in a privileged attack path. However, the execution occurs automatically when any authorized user views the affected service discovery page, meaning no additional social engineering or user manipulation is necessary beyond the initial compromise of an admin account. The barrier to exploitation is high privilege plus low complexity, but the reach extends to all users who interact with service discovery—making it impactful in multi-admin or shared-responsibility environments.
Remediation
Upgrade Checkmk to patched versions: 2.5.0p5 or later, 2.4.0p31 or later, 2.3.0p48 or later, or transition off the 2.2.0 branch entirely (no patch available for 2.2.0). If immediate patching is not possible, restrict administrator role assignments to trusted personnel only and audit active check and custom check configurations for suspicious or unexpected content. Review logs and service discovery output history for signs of injected HTML or JavaScript.
Patch guidance
Checkmk provides cumulative security patches. Download and apply the latest available patch for your current major.minor version from the Checkmk vendor portal. For 2.2.0 users, upgrading to at least 2.3.0p48 is required. Test patches in a non-production environment first to ensure compatibility with custom checks and monitoring workflows. Document the patch version after deployment to support compliance tracking.
Detection guidance
Monitor Checkmk audit logs for changes to active check and custom check configurations, particularly those made by administrative accounts. Inspect service discovery output pages and raw check configurations for HTML tags, JavaScript keywords (onclick, onload, etc.), or script payloads. Use browser developer tools to review the DOM of the service discovery page for unexpected inline scripts or event handlers. Log all administrative configuration changes and correlate with user sessions accessing the service discovery page during the same timeframe.
Why prioritize this
Although rated MEDIUM severity and not yet on the KEV list, this vulnerability merits prompt attention because it enables account compromise and lateral movement within a monitoring platform that administrators rely on for operational visibility. The persistent nature of stored XSS and the scope crossing (configuration context to rendering context) amplify risk. Prioritize patching environments with multiple administrators or shared check management responsibilities.
Risk score, explained
CVSS 3.1 score of 4.8 (MEDIUM) reflects the requirement for high privilege to inject the payload (PR:H) and user interaction (UI:R), combined with network accessibility (AV:N) and low complexity (AC:L). The impact is limited to confidentiality and integrity (C:L, I:L) with no availability impact (A:N), and the scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component (other users' browsers). The score appropriately penalizes the high privilege requirement while recognizing that stored XSS in a widely-used administrative interface can cascade to broader compromise.
Frequently asked questions
Does this vulnerability allow an unprivileged user to inject malicious code?
No. The vulnerability requires administrative credentials to configure active or custom checks. Unprivileged or read-only users cannot inject payloads. However, they can be victimized by a malicious administrator who injects code that executes in their browser.
What is the difference between this vulnerability and a reflected XSS?
This is stored XSS, meaning the malicious payload persists in the Checkmk database and executes every time any authorized user accesses the service discovery page. Reflected XSS would require tricking a user into clicking a specially crafted link. Stored XSS is generally more dangerous because the payload remains active indefinitely until removed.
If we restrict admin access to a single trusted person, are we safe?
Restricting admin access reduces attack surface but does not eliminate the risk. A single compromised admin account, phishing attack, or insider threat can still exploit this vulnerability. Patching is the only reliable remediation. Restricted access should complement, not replace, patching.
Are there workarounds if we cannot patch immediately?
There is no complete workaround. Mitigation options include: (1) auditing and removing any suspicious active or custom check configurations, (2) restricting administrator role assignment to absolutely necessary personnel, (3) disabling service discovery features if they are not critical, and (4) monitoring for suspicious activity in logs and user sessions. These reduce risk but do not prevent exploitation if an admin account is compromised. Plan patching as soon as feasible.
This analysis is based on the CVE record and vendor advisory as of the publication date. Patch versions and affected product lists should be verified against the official Checkmk security announcement before taking action. No exploit code or proof-of-concept is provided or endorsed. Organizations are responsible for assessing their own risk posture, testing patches in controlled environments, and following their change management procedures. SEC.co makes no warranty regarding the accuracy or completeness of remediation guidance and recommends consulting Checkmk support for environment-specific questions. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-7186MEDIUMStored XSS in Checkmk Dashboard Widget – Patch Now
- CVE-2026-8078MEDIUMStored XSS in Checkmk Global Settings Audit Log
- CVE-2026-8833MEDIUMCheckmk URL Validation Bypass & XSS Vulnerability
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk