Cross-Site Scripting Vulnerability in Checkmk by Tribe29
CVE-2025-39663

8.5HIGH

Key Information:

Vendor: Checkmk Gmbh
Status: Checkmk
Vendor: CVE Published:; 30 October 2025

🔔 Create Checkmk Gmbh Vulnerability Alert

What is CVE-2025-39663?

A Cross-Site Scripting (XSS) vulnerability exists in Checkmk's distributed monitoring system, which permits a compromised remote site to inject harmful HTML code into service outputs at the central site. This flaw impacts multiple versions of Checkmk prior to 2.4.0p14, including 2.3.0p39, 2.2.0, and the end-of-life 2.1.0. The issue poses a significant risk as it can allow attackers to execute arbitrary scripts in the context of the end user's session.

Affected Version(s)

Checkmk 2.4.0 < 2.4.0p14

Checkmk 2.3.0 < 2.3.0p39

Checkmk 2.2.0

References

https://checkmk.com/werk/17998

https://github.com/sbaresearch/advisories/tree/82fd27e457...

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 30, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

Lisa Gnedt (SBA Research)

JSON