Description
Stored cross-site scripting in the service discovery active check output in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an admin or a user with host read permissions when they run the check on the service discovery page.
Published: 2026-06-08
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw is present in the service discovery active check output component of Checkmk, allowing an attacker who can configure active or custom checks to inject arbitrary HTML or JavaScript. When an administrator or a user with host‑read permissions accesses the service discovery page, the malicious code executes within the victim’s browser, potentially exposing session cookies or allowing additional malicious actions. The vulnerability is characterized as CWE‑79.

Affected Systems

Checkmk by Checkmk GmbH is affected. Versions lower than 2.5.0p5, 2.4.0p31, 2.3.0p48, and all releases of the 2.2.0 branch contain the issue. Updated releases beyond these thresholds incorporate the fix.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, and the EPSS score is not available, so exploitation likelihood is unknown. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the capability to create or edit active/custom checks, implying privileged access is needed; however, once the malicious output is present, any user who views the service discovery page can be affected. There are no publicly reported exploits at this time.

Generated by OpenCVE AI on June 8, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Checkmk to a version newer than 2.5.0p5, 2.4.0p31, 2.3.0p48, or the patched 2.2.0 release to eliminate the stored XSS flaw
  • Restrict permission to create or modify active and custom checks so that only trusted administrators have this capability
  • Implement input validation and output escaping for custom check results to prevent injection of unsanitized HTML or script

Generated by OpenCVE AI on June 8, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://checkmk.com/werk/17993 cve-icon cve-icon
History

Mon, 08 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Description Stored cross-site scripting in the service discovery active check output in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an admin or a user with host read permissions when they run the check on the service discovery page.
Title Fix XSS in service discovery active check output
First Time appeared Checkmk
Checkmk checkmk
Weaknesses CWE-79
CPEs cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*
cpe:2.3:a:checkmk:checkmk:2.2.0:*:*:*:*:*:*:*
Vendors & Products Checkmk
Checkmk checkmk
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Checkmk Checkmk
cve-icon MITRE

Status: PUBLISHED

Assigner: Checkmk

Published:

Updated: 2026-06-08T13:02:20.748Z

Reserved: 2026-05-26T07:04:28.900Z

Link: CVE-2026-9549

cve-icon Vulnrichment

Updated: 2026-06-08T13:02:17.407Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-08T13:16:34.030

Modified: 2026-06-08T15:00:38.710

Link: CVE-2026-9549

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T15:45:06Z

Weaknesses