1445 matches found
CVE-2026-9549
Stored cross-site scripting in the service discovery active check output in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an adm...
CVE-2026-9549
Technical details are not publicly available in the provided documents. Monitor for updates.
EUVD-2026-35054
Stored cross-site scripting in the service discovery active check output in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an adm...
CVE-2026-9549 Fix XSS in service discovery active check output
Stored cross-site scripting in the service discovery active check output in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an adm...
EUVD-2026-35053
Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another...
CVE-2026-8833
Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another...
CVE-2026-8833 XSS in urls
Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another...
CVE-2026-8833
CVE-2026-8833 affects Checkmk versions <2.5.0p5, <2.4.0p31,
CVE-2026-8833 XSS in urls
Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another...
CVE-2026-8078
CVE-2026-8078 is a stored cross-site scripting vulnerability in Checkmk’s global settings change log. It affects Checkmk versions <2.5.0p5, <2.4.0p31,
CVE-2026-8078 Fix stored XSS in global settings change log
Stored cross-site scripting in the global settings change log in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an administrator who can change global settings to store malicious HTML or JavaScript in changelog messages that executes in other users' browsers when they view the...
EUVD-2026-35052
Stored cross-site scripting in the global settings change log in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an administrator who can change global settings to store malicious HTML or JavaScript in changelog messages that executes in other users' browsers when they view the...
CVE-2026-8078
Stored cross-site scripting in the global settings change log in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an administrator who can change global settings to store malicious HTML or JavaScript in changelog messages that executes in other users' browsers when they view the...
CVE-2026-7765
Checkmk
CVE-2026-7765 User Messages widget leaked issuer messages on shared dashboards
Incorrect authorization in the User Messages dashboard widget in Checkmk 2.5.0p5 causes the message-fetching endpoints to return the dashboard creator's messages rather than the viewer's, allowing an attacker who knows a valid public dashboard share token to read the issuer's personal messages by...
CVE-2026-7765 User Messages widget leaked issuer messages on shared dashboards
Incorrect authorization in the User Messages dashboard widget in Checkmk 2.5.0p5 causes the message-fetching endpoints to return the dashboard creator's messages rather than the viewer's, allowing an attacker who knows a valid public dashboard share token to read the issuer's personal messages by...
CVE-2026-7765
Incorrect authorization in the User Messages dashboard widget in Checkmk 2.5.0p5 causes the message-fetching endpoints to return the dashboard creator's messages rather than the viewer's, allowing an attacker who knows a valid public dashboard share token to read the issuer's personal messages by...
EUVD-2026-35051
Incorrect authorization in the User Messages dashboard widget in Checkmk 2.5.0p5 causes the message-fetching endpoints to return the dashboard creator's messages rather than the viewer's, allowing an attacker who knows a valid public dashboard share token to read the issuer's personal messages by...
CVE-2026-7186
Stored cross-site scripting in the URL dashboard widget in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the...
CVE-2026-7186 Fix stored XSS in URL dashboard widget via dangerous URI schemes
Stored cross-site scripting in the URL dashboard widget in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the...