Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Stored cross-site scripting in the service discovery active check output in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an admin or a user with host read permissions when they run the check on the service discovery page.
AnalysisAI
Stored cross-site scripting in Checkmk's service discovery active check output allows a high-privileged administrator to inject persistent malicious HTML or JavaScript that executes in the browsers of other administrators or users with host read permissions when they run checks on the service discovery page. Affected versions span all currently maintained branches: Checkmk below 2.5.0p5, below 2.4.0p31, below 2.3.0p48, and all 2.2.0 releases with no patch for that branch. No public exploit has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the stored nature of the XSS and its targeting of privileged user sessions make it a meaningful lateral-privilege and session-compromise vector within Checkmk deployments.
Technical ContextAI
Checkmk is an enterprise IT monitoring platform (CPE: cpe:2.3:a:checkmk_gmbh:checkmk:*:*:*:*:*:*:*:*) that supports both built-in and administrator-defined active and custom checks whose output is rendered in the web-based service discovery interface. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS): check output returned by active checks is persisted and later rendered in the service discovery page without sufficient sanitization. Because check output is stored server-side and replayed into the browser on demand, any administrator with check configuration rights can embed JavaScript or HTML that executes in the security context of any subsequent user who views that check output on the service discovery page.
RemediationAI
The primary fix is to upgrade to a vendor-released patched version: Checkmk 2.5.0p5, 2.4.0p31, or 2.3.0p48, as documented in the vendor advisory at https://checkmk.com/werk/17993. The 2.2.0 branch has no patch available; operators on that branch should plan an urgent upgrade to a supported and patched release. As a compensating control while patches are staged, access to active and custom check configuration should be restricted to the absolute minimum set of fully trusted administrators, reducing the attacker pool that can plant a payload. Auditing existing active and custom check configurations for unexpected HTML or JavaScript content in check output fields can help detect any prior injection attempts. No workaround is known that fully neutralizes the stored XSS without applying the vendor patch.
Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, whi
The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dok
The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uplo
Improper restriction of excessive authentication attempts on some authentication methods in Checkmk before 2.3.0b5 (beta
The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the W
Local privilege escalation in Checkmk allows site users with high privileges to escalate to root by manipulating site co
Bypass of two factor authentication in RestAPI in Checkmk < 2.3.0p16 and < 2.2.0p34 allows authenticated users to bypass
Insufficient authentication flow in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows attacker to use locked credent
A security vulnerability in autocomplete endpoint within the RestAPI of Checkmk (CVSS 8.8) that allows an authenticated
Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escal
Privilege escalation in jar_signature agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user t
Cross-Site request forgery in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) could lead to 1-click com
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35054
GHSA-h7cw-jgmc-mwc6