The flaw exists because Checkmk does not properly sanitize the link titles embedded in dashboard dashlets. An attacker who can create or edit dashboards can store a malicious URL in the title field. When a user views a shared dashboard and clicks the crafted title, the browser executes the injected script, enabling the attacker to run arbitrary code in the victim’s browser. This stored cross‑site scripting propagates only through the shared dashboard view and relies on a user click to trigger the vulnerability.

Checkmk GmbH’s Checkmk product is affected. The Vulnerable releases span Checkmk 2.2.0 (end‑of‑life), all releases of the 2.3 series before patch 2.3.0p46, all releases of the 2.4 series before patch 2.4.0p25, and the 2.5.0 beta line before patch 2.5.0b3. Administrators should verify whether their deployment falls within any of these ranges and note that only dashboard‑creation privileges are required to embed the exploit.

The CVSS base score of 8.5 categorises the vulnerability as high severity. No EPSS data is available and the issue is not listed in the CISA KEV catalog. Exploitation requires the attacker to have dashboard‑creation or editing rights and a victim to click the malicious title on a shared dashboard. Because the attack depends on a human action, it is a client‑side stored XSS that can be used to execute arbitrary scripts within the context of the victim’s browser but does not directly compromise the server itself.