Fix stored XSS in global settings change log
CVE-2026-8078

4.8MEDIUM

Key Information:

Vendor: Checkmk Gmbh
Status: Checkmk
Vendor: CVE Published:; 8 June 2026

🔔 Create Checkmk Gmbh Vulnerability Alert

What is CVE-2026-8078?

Stored cross-site scripting in the global settings change log in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can change global settings to store malicious HTML or JavaScript in changelog messages that executes in other users' browsers when they view the Activate Changes page or Audit log.

Affected Version(s)

Checkmk 2.5.0 < 2.5.0p5

Checkmk 2.4.0 < 2.4.0p31

Checkmk 2.3.0 < 2.3.0p48

References

https://checkmk.com/werk/17992

vendor-advisory

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-8078 Data

JSON