Description
Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
https://checkmk.com/werk/19583
Vendor Advisory vendor-advisory
https://checkmk.com/werk/19033
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/checkmk-stored-cross-site-scripting-in-dashlet-title
Scores
CVSS v3
5.4
EPSS
0.0023
EPSS Percentile
13.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (1)
checkmk/checkmk
2.2.0 (50 CPE variants)
Published
Apr 07, 2026
Tracked Since
Apr 07, 2026