Description
Stored cross-site scripting (XSS) in Checkmk version 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create pending changes to inject malicious JavaScript into the Pending Changes sidebar, which will execute in the browsers of other users viewing the sidebar.
Published: 2026-03-31
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: Stored cross‑site scripting
Action: Immediate Patch
AI Analysis

Impact

Checkmk version 2.5.0 (beta) prior to 2.5.0b2 contains a stored cross‑site scripting flaw. An authenticated user who has permission to create pending changes can embed malicious JavaScript into the pending changes sidebar. When another user opens that sidebar, the injected script runs inside the victim’s browser, granting the attacker the ability to execute arbitrary code in the context of the victim’s session.

Affected Systems

The affected product is Checkmk by Checkmk GmbH. The vulnerability is present in version 2.5.0 (beta) builds older than 2.5.0b2. No other products or versions are listed.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. Because exploitation requires user authentication and the ability to create pending changes, the attack surface is limited to users with that permission. The flaw is not yet listed in the CISA KEV catalog, but once credentials or privileged access are obtained, any user who views the sidebar can be impacted, making the risk significant for organizations that allow the permission.

Generated by OpenCVE AI on March 31, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Checkmk to version 2.5.0b2 or later, which removes the stored XSS flaw.
  • If upgrading is not immediately possible, remove or restrict the permission that allows users to create pending changes until the patch is applied.
  • Verify after remediation that the pending changes sidebar no longer accepts or displays arbitrary JavaScript.

Generated by OpenCVE AI on March 31, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://checkmk.com/werk/19526 cve-icon cve-icon
History

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description Stored cross-site scripting (XSS) in Checkmk version 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create pending changes to inject malicious JavaScript into the Pending Changes sidebar, which will execute in the browsers of other users viewing the sidebar.
Title Stored cross-site scripting in Pending Changes sidebar
First Time appeared Checkmk
Checkmk checkmk
Weaknesses CWE-79
CPEs cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*
Vendors & Products Checkmk
Checkmk checkmk
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N'}

Subscriptions

Checkmk Checkmk
cve-icon MITRE

Status: PUBLISHED

Assigner: Checkmk

Published:

Updated: 2026-03-31T17:15:54.753Z

Reserved: 2026-03-23T10:47:17.588Z

Link: CVE-2026-20915

cve-icon Vulnrichment

Updated: 2026-03-31T17:15:51.145Z

cve-icon NVD

Status : Received

Published: 2026-03-31T15:16:11.527

Modified: 2026-03-31T15:16:11.527

Link: CVE-2026-20915

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:32Z

Weaknesses