Description
Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another user interacts with the crafted link.
Published: 2026-06-08
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user with access to Checkmk can craft a malicious link containing characters such as javascript: URIs, because the URL validation logic fails to neutralize HTML‑encoded characters. When another user clicks the link, the browser interprets the malicious payload as executable code, allowing the attacker to run arbitrary scripts in the victim’s session. The underlying weakness is input validation and sanitisation (CWE‑79) and the impact is browser‑based cross‑site scripting.

Affected Systems

Checkmk products from Checkmk GmbH are vulnerable in all versions prior to 2.5.0p5, prior to 2.4.0p31, prior to 2.3.0p48, and every 2.2.0 release. Any environment running one of these affected releases is subject to the vulnerability.

Risk and Exploitability

With a CVSS score of 8.5 the flaw is considered high severity. The EPSS score is not available, and the vulnerability has not been listed in the CISA KEV catalog. Exploitation requires that an attacker be authenticated to the Checkmk instance to create the problematic link, and that a different user later click on that link. Once triggered the effect is immediate XSS in the victim’s browser, allowing an attacker to steal session data, deface pages, or perform account takeover actions.

Generated by OpenCVE AI on June 8, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Checkmk to version 2.5.0p5 or later (or any version beyond the affected releases).
  • If an upgrade is not immediately viable, limit the accepted URL scheme by configuring the application to reject or encode javascript: and other dangerous schemes in user‑supplied URLs. This mitigates the risk until a patch is applied.
  • Enforce strict input validation on any user‑supplied URLs by sanitising or whitelisting schemes on the backend; ensure that the sanitisation layer references CWE‑79 best practices to prevent similar flaws in the future.

Generated by OpenCVE AI on June 8, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://checkmk.com/werk/20002 cve-icon cve-icon
History

Mon, 08 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Description Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another user interacts with the crafted link.
Title XSS in urls
First Time appeared Checkmk
Checkmk checkmk
Weaknesses CWE-79
CPEs cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.2.0:*:*:*:*:*:*:*
Vendors & Products Checkmk
Checkmk checkmk
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N'}

Subscriptions

Checkmk Checkmk
cve-icon MITRE

Status: PUBLISHED

Assigner: Checkmk

Published:

Updated: 2026-06-08T13:02:45.679Z

Reserved: 2026-05-18T14:06:43.958Z

Link: CVE-2026-8833

cve-icon Vulnrichment

Updated: 2026-06-08T13:02:42.423Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-08T13:16:33.900

Modified: 2026-06-08T15:00:38.710

Link: CVE-2026-8833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T14:45:04Z

Weaknesses