EUVD-2026-19605
GHSA-6wcg-pxr7-8826
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Tags
Description
Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard.
Analysis
Stored cross-site scripting (XSS) in Checkmk dashboard functionality allows authenticated users with dashboard creation privileges to inject malicious scripts through unsanitized dashlet title links, achieving high confidentiality and integrity impact (CVSS 8.5) when victims click crafted links on shared dashboards. Affects Checkmk 2.2.0 (EOL), 2.3.0 before p46, 2.4.0 before p25, and beta 2.5.0 before b3. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Checkmk deployments and document affected versions (2.2.0, 2.3.0 before p46, 2.4.0 before p25, 2.5.0 before b3). Within 7 days: Restrict dashboard creation privileges to only trusted administrators and audit existing dashboards for suspicious titles or links; apply available patches to 2.3.0 (upgrade to p46 or later), 2.4.0 (upgrade to p25 or later), and 2.5.0 beta (upgrade to b3 or later). …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today