CVE-2026-3466

Summary

Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard.

Affected Software

VendorProductVersion RangeStatus
Checkmk GmbHCheckmk2.2.0affected
Checkmk GmbHCheckmk2.3.0 < 2.3.0p46affected
Checkmk GmbHCheckmk2.4.0 < 2.4.0p25affected
Checkmk GmbHCheckmk2.5.0b1 < 2.5.0affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References