Home

Description

Cross-Site Scripting (XSS) vulnerability in Checkmk's distributed monitoring allows a compromised remote site to inject malicious HTML code into service outputs in the central site. Affecting Checkmk before 2.4.0p14, 2.3.0p39, 2.2.0 and 2.1.0 (eol).

PUBLISHED Reserved 2025-04-16 | Published 2025-10-30 | Updated 2025-10-30 | Assigner Checkmk




HIGH: 8.5CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Product status

Default status
unaffected

2.4.0 (semver) before 2.4.0p14
affected

2.3.0 (semver) before 2.3.0p39
affected

2.2.0 (semver)
affected

2.1.0 (semver)
affected

Credits

Lisa Gnedt (SBA Research) reporter

References

checkmk.com/werk/17998

github.com/...A-ADV-20250729-01_Checkmk_Cross_Site_Scripting

cve.org (CVE-2025-39663)

nvd.nist.gov (CVE-2025-39663)

Download JSON