Stored Cross-Site Scripting Vulnerability in Checkmk by tribe29
CVE-2026-3466

8.5HIGH

Key Information:

Vendor

Checkmk Gmbh

Status
Checkmk
Vendor
CVE Published:
7 April 2026

What is CVE-2026-3466?

A stored cross-site scripting (XSS) vulnerability exists in certain versions of Checkmk that results from insufficient sanitization of dashboard dashlet title links. Attackers with dashboard creation privileges can exploit this vulnerability by crafting malicious dashlet title links. When a victim clicks on these links on a shared dashboard, it could execute arbitrary scripts in the context of the user's session, potentially compromising sensitive information and allowing unauthorized actions.

Affected Version(s)

Checkmk 2.2.0

Checkmk 2.3.0 < 2.3.0p46

Checkmk 2.4.0 < 2.4.0p25

References

https://checkmk.com/werk/19033
vendor-advisory
https://checkmk.com/werk/19583
vendor-advisory
https://www.vulncheck.com/advisories/checkmk-stored-cross...
third-party-advisory

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alex Williams (Pellera Technologies)
.