Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard.
AnalysisAI
Stored cross-site scripting in Checkmk dashboard dashlet title links enables authenticated attackers with dashboard creation privileges to execute malicious JavaScript in victims' browsers when they click crafted dashlet links on shared dashboards. Affects Checkmk 2.2.0 (EOL), 2.3.0 before p46, 2.4.0 before p25, and 2.5.0 beta before b3. Vendor-released patches are available for all supported versions. EPSS score of 0.05% (14th percentile) indicates low predicted exploitation probability, and no public exploit identified at time of analysis, though CVSS 8.5 reflects the high impact of successful exploitation (complete confidentiality, integrity, and availability compromise in victim context).
Technical ContextAI
This vulnerability stems from insufficient input sanitization (CWE-79) in Checkmk's dashboard feature, specifically when processing user-supplied title links for dashboard dashlets. Checkmk is an enterprise IT infrastructure monitoring solution (CPE: cpe:2.3:a:checkmk_gmbh:checkmk). The flaw allows JavaScript injection through dashboard dashlet title link fields, which are then stored server-side and executed when rendered in other users' browsers. This is a stored (persistent) XSS variant, meaning the malicious payload persists in the application database and executes whenever the affected dashboard is loaded, making it more dangerous than reflected XSS. The vulnerability requires authentication and dashboard creation privileges, indicating it exploits trusted-user features rather than public-facing interfaces. The CVSS 4.0 vector shows low attack complexity (AC:L) with network attack vector (AV:N), confirming this is exploitable remotely but requires low-privileged authentication (PR:L) and active user interaction (UI:A).
RemediationAI
Upgrade to the vendor-released patched versions: Checkmk 2.3.0p46 or later for 2.3.x deployments, Checkmk 2.4.0p25 or later for 2.4.x deployments, or Checkmk 2.5.0b3 or later for beta channel users as detailed in Checkmk Werk 19033 (https://checkmk.com/werk/19033) and Werk 19583 (https://checkmk.com/werk/19583). Checkmk 2.2.0 is end-of-life and should be migrated to a supported version immediately. If immediate patching is not feasible, implement these compensating controls: restrict dashboard creation privileges to only highly trusted administrators (reduces PR:L threat surface), implement Content Security Policy (CSP) headers to prevent inline JavaScript execution (trade-off: may break legitimate Checkmk dashboard features requiring script evaluation), disable dashboard sharing features until patching is complete (eliminates victim access vector but reduces collaboration functionality), and monitor dashboard modification logs for suspicious title link patterns containing JavaScript event handlers or script tags. These workarounds provide defense-in-depth but do not eliminate the vulnerability - patching remains the only complete remediation.
Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, whi
The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dok
The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uplo
Improper restriction of excessive authentication attempts on some authentication methods in Checkmk before 2.3.0b5 (beta
The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the W
Local privilege escalation in Checkmk allows site users with high privileges to escalate to root by manipulating site co
Bypass of two factor authentication in RestAPI in Checkmk < 2.3.0p16 and < 2.2.0p34 allows authenticated users to bypass
Insufficient authentication flow in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows attacker to use locked credent
A security vulnerability in autocomplete endpoint within the RestAPI of Checkmk (CVSS 8.8) that allows an authenticated
Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escal
Privilege escalation in jar_signature agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user t
Cross-Site request forgery in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) could lead to 1-click com
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19605
GHSA-6wcg-pxr7-8826