Description
Stored cross-site scripting (XSS) in Checkmk 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other users performing searches in the Unified Search feature.
Published: 2026-03-31
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in Checkmk 2.5.0 beta releases prior to 2.5.0b2. It allows authenticated users who have permission to create hosts or services to insert arbitrary JavaScript into host or service names. When other users perform searches in the Unified Search feature, the unescaped name is rendered, and the embedded script executes in their browsers.

Affected Systems

Checkmk GmbH’s Checkmk product, specifically the 2.5.0 beta version before 2.5.0b2. The affected build identifiers include 2.5.0:b1 and all earlier 2.5.0 beta releases as listed by the CNA.

Risk and Exploitability

The CVSS base score of 8.6 indicates high severity, while an EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires a user account with host or service creation rights; the attacker must authenticate and then supply specially crafted host or service names that are rendered without proper escaping in the Unified Search results. The impact is arbitrary JavaScript execution in the browsers of other users who view the search results.

Generated by OpenCVE AI on April 2, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Checkmk to version 2.5.0b2 or later to eliminate the flaw.
  • If an upgrade cannot be performed immediately, restrict host and service creation permissions to trusted accounts only.
  • Avoid creating host or service names that include special characters likely to be rendered as scripts until the vulnerability is fixed.
  • Monitor user activity for unexpected script execution or anomalous browser behavior.

Generated by OpenCVE AI on April 2, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://checkmk.com/werk/19525 cve-icon cve-icon
History

Thu, 02 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:checkmk:checkmk:2.5.0:b1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description Stored cross-site scripting (XSS) in Checkmk 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other users performing searches in the Unified Search feature.
Title XSS in Unified Search via Unescaped Host/Service Names
First Time appeared Checkmk
Checkmk checkmk
Weaknesses CWE-79
CPEs cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*
Vendors & Products Checkmk
Checkmk checkmk
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N'}

Subscriptions

Checkmk Checkmk
cve-icon MITRE

Status: PUBLISHED

Assigner: Checkmk

Published:

Updated: 2026-03-31T15:45:36.069Z

Reserved: 2026-03-23T10:47:17.577Z

Link: CVE-2026-33276

cve-icon Vulnrichment

Updated: 2026-03-31T15:45:32.835Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T15:16:14.173

Modified: 2026-04-02T12:05:12.983

Link: CVE-2026-33276

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:37Z

Weaknesses