CVE-2026-8078

Summary

Stored cross-site scripting in the global settings change log in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can change global settings to store malicious HTML or JavaScript in changelog messages that executes in other users' browsers when they view the Activate Changes page or Audit log.

Affected Software

VendorProductVersion RangeStatus
Checkmk GmbHCheckmk2.5.0 < 2.5.0p5affected
Checkmk GmbHCheckmk2.4.0 < 2.4.0p31affected
Checkmk GmbHCheckmk2.3.0 < 2.3.0p48affected
Checkmk GmbHCheckmk2.2.0affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References