Stored Cross-Site Scripting in Checkmk Affects Administrators
CVE-2026-9549
4.8MEDIUM
What is CVE-2026-9549?
The stored cross-site scripting vulnerability in Checkmk allows authenticated administrators to manipulate the service discovery active check output. By injecting malicious HTML or JavaScript, an attacker can exploit this flaw to run their code in the browsers of admins or users with host read permissions. This poses significant risks when checks are executed on the service discovery page, potentially compromising the security of user sessions and data.
Affected Version(s)
Checkmk 2.5.0 < 2.5.0p5
Checkmk 2.4.0 < 2.4.0p31
Checkmk 2.3.0 < 2.3.0p48
