CVE-2026-8078
4.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
Summary
Stored cross-site scripting in the global settings change log in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can change global settings to store malicious HTML or JavaScript in changelog messages that executes in other users' browsers when they view the Activate Changes page or Audit log.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Checkmk GmbH | Checkmk | 2.5.0 < 2.5.0p5 | affected |
| Checkmk GmbH | Checkmk | 2.4.0 < 2.4.0p31 | affected |
| Checkmk GmbH | Checkmk | 2.3.0 < 2.3.0p48 | affected |
| Checkmk GmbH | Checkmk | 2.2.0 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.