CVE-2025-39663 | THREATINT

Description

Cross-Site Scripting (XSS) vulnerability in Checkmk's distributed monitoring allows a compromised remote site to inject malicious HTML code into service outputs in the central site. Affecting Checkmk before 2.4.0p14, 2.3.0p39, 2.2.0 and 2.1.0 (eol).

PUBLISHED Reserved 2025-04-16 | Published 2025-10-30 | Updated 2025-11-07 | Assigner Checkmk

HIGH: 8.5CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Product status

Default status

unaffected

2.4.0 (semver) before 2.4.0p14

affected

2.3.0 (semver) before 2.3.0p39

affected

2.2.0 (semver)

affected

2.1.0 (semver)

affected

Credits

Lisa Gnedt (SBA Research) reporter

References

github.com/...A-ADV-20250729-01_Checkmk_Cross_Site_Scripting exploit

seclists.org/fulldisclosure/2025/Nov/0

checkmk.com/werk/17998

github.com/...A-ADV-20250729-01_Checkmk_Cross_Site_Scripting

cve.org (CVE-2025-39663)

nvd.nist.gov (CVE-2025-39663)

Download JSON