The vulnerability is a stored cross‑site scripting bug that occurs in the Pending Changes sidebar of Checkmk’s 2.5.0 beta versions before the 2.5.0b2 release. Authenticated users who have permission to create pending changes can embed arbitrary JavaScript into the sidebar. When another user opens the sidebar, the injected script runs in that user’s browser, allowing the attacker to steal session cookies, perform phishing, or tamper with user data. This is a classic stored XSS (CWE‑79) that impacts confidentiality and integrity of data displayed in the UI.

Affecting deployments of Checkmk released by Checkmk GmbH, the flaw is present in Checkmk version 2.5.0 beta prior to the 2.5.0b2 update. The CPE strings cpe:2.3:a:checkmk:checkmk:* and cpe:2.3:a:checkmk:checkmk:2.5.0:b1:* identify the vulnerable product and version series.

The CVSS score of 8.5 indicates a high severity, while the EPSS score is below 1%, suggesting that widespread exploitation is currently unlikely and the flaw is not catalogued in CISA’s KEV list. Nonetheless, the attack requires authenticated access with permission to create pending changes; an insider or compromised account can inject malicious code that will execute in the browsers of users who view the sidebar. Organizations that grant broad pending‑change permissions should be particularly vigilant, as the vulnerability can be leveraged to deliver client‑side attacks with the privileges of any user who consumes the sidebar content.