Home

Description

Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard.

PUBLISHED Reserved 2026-03-03 | Published 2026-04-07 | Updated 2026-04-22 | Assigner Checkmk




HIGH: 8.5CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

2.2.0 (semver)
affected

2.3.0 (semver) before 2.3.0p46
affected

2.4.0 (semver) before 2.4.0p25
affected

2.5.0b1 (semver) before 2.5.0
affected

Credits

Alex Williams (Pellera Technologies) reporter

References

checkmk.com/werk/19033 vendor-advisory

checkmk.com/werk/19583 vendor-advisory

www.vulncheck.com/...d-cross-site-scripting-in-dashlet-title third-party-advisory

cve.org (CVE-2026-3466)

nvd.nist.gov (CVE-2026-3466)

Download JSON