CVE-2026-9549
MediumCVSS 4.8Summary
In Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions, there is a stored XSS vulnerability in the active check output of service discovery. Administrators can inject malicious HTML or JavaScript that executes in the browsers of admins or users with host read permissions.
Risk Assessment
An attacker could exploit this vulnerability to execute malicious code in users' browsers, potentially leading to data theft or session hijacking. This poses a significant security risk to the organization.
Recommendation
It is recommended to update Checkmk to the latest version to mitigate this vulnerability. Additionally, restrict administrator permissions for configuring active checks.
Original NVD description (English source)
Stored cross-site scripting in the service discovery active check output in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an admin or a user with host read permissions when they run the check on the service discovery page.

