Skip to main content

Checkmk CVE-2026-3466

| EUVDEUVD-2026-19605 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-07 Checkmk GHSA-6wcg-pxr7-8826
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

8
Analysis Updated
Apr 22, 2026 - 13:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 13:22 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:05 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.3.0p46,2.5.0b3,2.4.0p25
EUVD ID Assigned
Apr 07, 2026 - 12:45 euvd
EUVD-2026-19605
Analysis Generated
Apr 07, 2026 - 12:45 vuln.today
CVE Published
Apr 07, 2026 - 12:08 nvd
HIGH 8.5

DescriptionCVE.org

Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard.

AnalysisAI

Stored cross-site scripting in Checkmk dashboard dashlet title links enables authenticated attackers with dashboard creation privileges to execute malicious JavaScript in victims' browsers when they click crafted dashlet links on shared dashboards. Affects Checkmk 2.2.0 (EOL), 2.3.0 before p46, 2.4.0 before p25, and 2.5.0 beta before b3. Vendor-released patches are available for all supported versions. EPSS score of 0.05% (14th percentile) indicates low predicted exploitation probability, and no public exploit identified at time of analysis, though CVSS 8.5 reflects the high impact of successful exploitation (complete confidentiality, integrity, and availability compromise in victim context).

Technical ContextAI

This vulnerability stems from insufficient input sanitization (CWE-79) in Checkmk's dashboard feature, specifically when processing user-supplied title links for dashboard dashlets. Checkmk is an enterprise IT infrastructure monitoring solution (CPE: cpe:2.3:a:checkmk_gmbh:checkmk). The flaw allows JavaScript injection through dashboard dashlet title link fields, which are then stored server-side and executed when rendered in other users' browsers. This is a stored (persistent) XSS variant, meaning the malicious payload persists in the application database and executes whenever the affected dashboard is loaded, making it more dangerous than reflected XSS. The vulnerability requires authentication and dashboard creation privileges, indicating it exploits trusted-user features rather than public-facing interfaces. The CVSS 4.0 vector shows low attack complexity (AC:L) with network attack vector (AV:N), confirming this is exploitable remotely but requires low-privileged authentication (PR:L) and active user interaction (UI:A).

RemediationAI

Upgrade to the vendor-released patched versions: Checkmk 2.3.0p46 or later for 2.3.x deployments, Checkmk 2.4.0p25 or later for 2.4.x deployments, or Checkmk 2.5.0b3 or later for beta channel users as detailed in Checkmk Werk 19033 (https://checkmk.com/werk/19033) and Werk 19583 (https://checkmk.com/werk/19583). Checkmk 2.2.0 is end-of-life and should be migrated to a supported version immediately. If immediate patching is not feasible, implement these compensating controls: restrict dashboard creation privileges to only highly trusted administrators (reduces PR:L threat surface), implement Content Security Policy (CSP) headers to prevent inline JavaScript execution (trade-off: may break legitimate Checkmk dashboard features requiring script evaluation), disable dashboard sharing features until patching is complete (eliminates victim access vector but reduces collaboration functionality), and monitor dashboard modification logs for suspicious title link patterns containing JavaScript event handlers or script tags. These workarounds provide defense-in-depth but do not eliminate the vulnerability - patching remains the only complete remediation.

CVE-2017-14955 MEDIUM POC
5.9 Oct 02

Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, whi

CVE-2021-40904 HIGH POC
8.8 Mar 25

The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dok

CVE-2021-40905 HIGH POC
8.8 Mar 25

The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uplo

CVE-2024-28825 CRITICAL
9.8 Apr 24

Improper restriction of excessive authentication attempts on some authentication methods in Checkmk before 2.3.0b5 (beta

CVE-2021-36563 MEDIUM POC
5.4 Jul 26

The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the W

CVE-2025-39666 CRITICAL
9.3 Apr 07

Local privilege escalation in Checkmk allows site users with high privileges to escalate to root by manipulating site co

CVE-2024-8606 CRITICAL
9.2 Sep 23

Bypass of two factor authentication in RestAPI in Checkmk < 2.3.0p16 and < 2.2.0p34 allows authenticated users to bypass

CVE-2023-31211 HIGH
8.8 Jan 12

Insufficient authentication flow in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows attacker to use locked credent

CVE-2025-32918 HIGH
8.8 Jul 04

A security vulnerability in autocomplete endpoint within the RestAPI of Checkmk (CVSS 8.8) that allows an authenticated

CVE-2023-6735 HIGH
8.8 Jan 12

Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escal

CVE-2023-6740 HIGH
8.8 Jan 12

Privilege escalation in jar_signature agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user t

CVE-2024-28828 HIGH
8.8 Jul 10

Cross-Site request forgery in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) could lead to 1-click com

Share

CVE-2026-3466 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy