CVE Catalog

CVE-2026-8833

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.05%

15th percentile - higher than 15% of all known CVEs

Summary

In Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions, there is improper neutralization of HTML-encoded characters in the URL validation function. This allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, leading to cross-site scripting when another user interacts with the crafted link.

Risk Assessment

The organization may be exposed to cross-site scripting attacks, which can lead to user data theft or session hijacking. Exploitation of this vulnerability may also impact the organization's reputation and user trust.

Recommendation

It is recommended to update Checkmk to the latest version to eliminate this vulnerability. Additionally, conducting a security audit of the application is advisable to identify and remediate other potential vulnerabilities.

Original NVD description (English source)

Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another user interacts with the crafted link.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS