Home

Description

Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another user interacts with the crafted link.

PUBLISHED Reserved 2026-05-18 | Published 2026-06-08 | Updated 2026-06-08 | Assigner Checkmk




HIGH: 8.5CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

2.5.0 (semver) before 2.5.0p5
affected

2.4.0 (semver) before 2.4.0p31
affected

2.3.0 (semver) before 2.3.0p48
affected

2.2.0 (semver)
affected

Credits

Arvato Systems Offensive Security reporter

References

checkmk.com/werk/20002 vendor-advisory

cve.org (CVE-2026-8833)

nvd.nist.gov (CVE-2026-8833)

Download JSON