Insufficient sanitization of links embedded in dashboard dashlet titles allows an attacker with dashboard‑creation privileges to store a malicious URL. When a victim visits the shared dashboard and clicks the crafted link, the attacker's script executes in the victim’s browser, potentially stealing session information, defacing the interface or performing other malicious client‑side actions. The vulnerability is a classic stored XSS and can be leveraged to compromise user accounts and further spread attacks inside the organization.

The flaw affects Checkmk version 2.2.0 (end‑of‑life), Checkmk 2.3.0 prior to 2.3.0p46, Checkmk 2.4.0 prior to 2.4.0p25, and Checkmk 2.5.0 (beta) prior to the first update; it is specific to the application delivered by Checkmk GmbH.

The CVSS score of 8.5 classifies the issue as high severity. EPSS is below 1 %, indicating that large‑scale exploitation is not common, and the vulnerability is not listed in the CISA KEV catalogue. Exploitation requires an attacker to create a malicious dashboard and a victim with access to the shared dashboard who clicks the injected link. The attack vector is client‑side; however, once the victim clicks, the attacker gains full client‑side control. Consequently, the risk to an organization that permits dashboard creation by multiple users is non‑negligible and warrants swift remediation.