Skip to main content

Checkmk EUVDEUVD-2026-35054

| CVE-2026-9549 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-08 Checkmk GHSA-h7cw-jgmc-mwc6
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 08, 2026 - 14:01 EUVD
Analysis Generated
Jun 08, 2026 - 13:48 vuln.today
CVSS changed
Jun 08, 2026 - 13:22 NVD
4.8 (MEDIUM)

DescriptionCVE.org

Stored cross-site scripting in the service discovery active check output in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an admin or a user with host read permissions when they run the check on the service discovery page.

AnalysisAI

Stored cross-site scripting in Checkmk's service discovery active check output allows a high-privileged administrator to inject persistent malicious HTML or JavaScript that executes in the browsers of other administrators or users with host read permissions when they run checks on the service discovery page. Affected versions span all currently maintained branches: Checkmk below 2.5.0p5, below 2.4.0p31, below 2.3.0p48, and all 2.2.0 releases with no patch for that branch. No public exploit has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the stored nature of the XSS and its targeting of privileged user sessions make it a meaningful lateral-privilege and session-compromise vector within Checkmk deployments.

Technical ContextAI

Checkmk is an enterprise IT monitoring platform (CPE: cpe:2.3:a:checkmk_gmbh:checkmk:*:*:*:*:*:*:*:*) that supports both built-in and administrator-defined active and custom checks whose output is rendered in the web-based service discovery interface. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS): check output returned by active checks is persisted and later rendered in the service discovery page without sufficient sanitization. Because check output is stored server-side and replayed into the browser on demand, any administrator with check configuration rights can embed JavaScript or HTML that executes in the security context of any subsequent user who views that check output on the service discovery page.

RemediationAI

The primary fix is to upgrade to a vendor-released patched version: Checkmk 2.5.0p5, 2.4.0p31, or 2.3.0p48, as documented in the vendor advisory at https://checkmk.com/werk/17993. The 2.2.0 branch has no patch available; operators on that branch should plan an urgent upgrade to a supported and patched release. As a compensating control while patches are staged, access to active and custom check configuration should be restricted to the absolute minimum set of fully trusted administrators, reducing the attacker pool that can plant a payload. Auditing existing active and custom check configurations for unexpected HTML or JavaScript content in check output fields can help detect any prior injection attempts. No workaround is known that fully neutralizes the stored XSS without applying the vendor patch.

CVE-2017-14955 MEDIUM POC
5.9 Oct 02

Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, whi

CVE-2021-40904 HIGH POC
8.8 Mar 25

The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dok

CVE-2021-40905 HIGH POC
8.8 Mar 25

The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uplo

CVE-2024-28825 CRITICAL
9.8 Apr 24

Improper restriction of excessive authentication attempts on some authentication methods in Checkmk before 2.3.0b5 (beta

CVE-2021-36563 MEDIUM POC
5.4 Jul 26

The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the W

CVE-2025-39666 CRITICAL
9.3 Apr 07

Local privilege escalation in Checkmk allows site users with high privileges to escalate to root by manipulating site co

CVE-2024-8606 CRITICAL
9.2 Sep 23

Bypass of two factor authentication in RestAPI in Checkmk < 2.3.0p16 and < 2.2.0p34 allows authenticated users to bypass

CVE-2023-31211 HIGH
8.8 Jan 12

Insufficient authentication flow in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows attacker to use locked credent

CVE-2025-32918 HIGH
8.8 Jul 04

A security vulnerability in autocomplete endpoint within the RestAPI of Checkmk (CVSS 8.8) that allows an authenticated

CVE-2023-6735 HIGH
8.8 Jan 12

Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escal

CVE-2023-6740 HIGH
8.8 Jan 12

Privilege escalation in jar_signature agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user t

CVE-2024-28828 HIGH
8.8 Jul 10

Cross-Site request forgery in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) could lead to 1-click com

Share

EUVD-2026-35054 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy