CVE-2026-9549
4.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
Summary
Stored cross-site scripting in the service discovery active check output in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an admin or a user with host read permissions when they run the check on the service discovery page.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Checkmk GmbH | Checkmk | 2.5.0 < 2.5.0p5 | affected |
| Checkmk GmbH | Checkmk | 2.4.0 < 2.4.0p31 | affected |
| Checkmk GmbH | Checkmk | 2.3.0 < 2.3.0p48 | affected |
| Checkmk GmbH | Checkmk | 2.2.0 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.