Description
Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link.
Published: 2026-02-26
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting enabling arbitrary JavaScript execution that can be used for phishing or session hijacking
Action: Immediate Patch
AI Analysis

Impact

An attacker who can manipulate the output of a host check can inject untrusted JavaScript into Synthetic Monitoring HTML logs. This flaw is an instance of improper input neutralization (CWE‑79) and can lead to arbitrary script execution when users view the logs. The injected code can be used in a crafted phishing link to compromise user credentials or perform other malicious actions.

Affected Systems

The vulnerability affects Checkmk releases 2.4.0 and earlier versions prior to patch 2.4.0p22, and releases 2.3.0 and earlier versions prior to patch 2.3.0p43. The affected vendor is Checkmk GmbH and the product name is Checkmk.

Risk and Exploitability

The CVSS score of 7.3 indicates a high‑severity flaw, while the EPSS score of less than 1% suggests that the likelihood of widespread active exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker can modify host check output—typically requiring privileged or local access. Once the payload is injected, the flaw can be abused via a crafted phishing link that delivers the malicious JavaScript to any user who views the Synthetic Monitoring logs.

Generated by OpenCVE AI on April 20, 2026 at 16:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Checkmk 2.4.0p22 or later, or to Checkmk 2.3.0p43 or later, depending on the installed release.
  • Limit or restrict local or privileged access to the host check output that generates Synthetic Monitoring logs so that only authorized users can modify it.
  • Apply a content‑security policy that blocks inline script execution in the Synthetic Monitoring HTML logs to reduce the impact of any residual XSS injection.

Generated by OpenCVE AI on April 20, 2026 at 16:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
References

Mon, 02 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:checkmk:checkmk:2.3.0:-:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:b1:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:b2:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:b3:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:b4:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:b5:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:b6:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p10:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p11:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p12:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p13:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p14:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p15:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p16:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p17:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p18:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p19:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p1:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p20:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p21:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p22:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p23:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p24:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p25:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p26:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p27:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p28:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p29:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p2:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p30:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p31:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p32:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p33:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p34:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p35:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p36:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p37:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p38:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p39:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p3:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p40:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p41:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p42:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p4:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p5:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p6:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p7:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p8:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.3.0:p9:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:-:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:b1:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:b2:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:b3:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:b4:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:b5:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:b6:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p10:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p11:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p12:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p13:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p14:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p15:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p16:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p17:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p18:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p19:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p1:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p20:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p21:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p2:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p3:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p4:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p5:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p6:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p7:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p8:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.4.0:p9:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link.
Title Cross-site scripting in HTML logs of Synthetic Monitoring test services
First Time appeared Checkmk
Checkmk checkmk
Weaknesses CWE-79
CPEs cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*
Vendors & Products Checkmk
Checkmk checkmk
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N'}

Subscriptions

Checkmk Checkmk
cve-icon MITRE

Status: PUBLISHED

Assigner: Checkmk

Published:

Updated: 2026-04-14T14:28:26.527Z

Reserved: 2025-11-12T09:16:24.094Z

Link: CVE-2025-64999

cve-icon Vulnrichment

Updated: 2026-02-26T14:28:49.516Z

cve-icon NVD

Status : Modified

Published: 2026-02-26T11:16:02.203

Modified: 2026-03-05T15:16:10.623

Link: CVE-2025-64999

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:45:11Z

Weaknesses