CVE-2025-39663

HIGH

Checkmk < 2.3.0 - Basic XSS

Title source: rule

Description

Cross-Site Scripting (XSS) vulnerability in Checkmk's distributed monitoring allows a compromised remote site to inject malicious HTML code into service outputs in the central site. Affecting Checkmk before 2.4.0p14, 2.3.0p39, 2.2.0 and 2.1.0 (eol).

References (3)

[Vendor Advisory] https://checkmk.com/werk/17998

[Exploit, Third Party Advisory] https://github.com/sbaresearch/advisories/tree/82fd27e4570433464c30b35150b197db9a850f4e/2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting

View Exploit ZIP pw:eip

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2025/Nov/0

Scores

CVSS v3 8.4

EPSS 0.0006

EPSS Percentile 19.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-80 CWE-79

Status published

Products (2)

checkmk/checkmk 2.3.0 (39 CPE variants)

checkmk/checkmk 2.4.0 (11 CPE variants)

Published Oct 30, 2025

Tracked Since Feb 18, 2026