Fix XSS in service discovery active check output
CVE-2026-9549

4.8MEDIUM

Key Information:

Vendor: Checkmk Gmbh
Status: Checkmk
Vendor: CVE Published:; 8 June 2026

🔔 Create Checkmk Gmbh Vulnerability Alert

What is CVE-2026-9549?

Stored cross-site scripting in the service discovery active check output in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an admin or a user with host read permissions when they run the check on the service discovery page.

Affected Version(s)

Checkmk 2.5.0 < 2.5.0p5

Checkmk 2.4.0 < 2.4.0p31

Checkmk 2.3.0 < 2.3.0p48

References

https://checkmk.com/werk/17993

vendor-advisory

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-9549 Data

JSON