Stored Cross-Site Scripting in Checkmk Affects Administrators
CVE-2026-9549

4.8MEDIUM

Key Information:

Status
Vendor
CVE Published:
8 June 2026

What is CVE-2026-9549?

The stored cross-site scripting vulnerability in Checkmk allows authenticated administrators to manipulate the service discovery active check output. By injecting malicious HTML or JavaScript, an attacker can exploit this flaw to run their code in the browsers of admins or users with host read permissions. This poses significant risks when checks are executed on the service discovery page, potentially compromising the security of user sessions and data.

Affected Version(s)

Checkmk 2.5.0 < 2.5.0p5

Checkmk 2.4.0 < 2.4.0p31

Checkmk 2.3.0 < 2.3.0p48

References

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.