CVE Catalog

CVE-2026-7186

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Summary

Stored cross-site scripting in the URL dashboard widget in Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the dashboard.

Risk Assessment

An attacker can exploit this vulnerability to inject malicious code, potentially leading to data theft or session hijacking of users viewing the dashboard.

Recommendation

It is recommended to update Checkmk to the latest version to mitigate this vulnerability and to restrict dashboard editing permissions to trusted users.

Original NVD description (English source)

Stored cross-site scripting in the URL dashboard widget in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the dashboard.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS