CVE Catalog

CVE-2026-8078

MediumCVSS 4.8
Published: Updated: Translated: NVD NIST

Summary

In Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions, there is a stored XSS vulnerability in the global settings change log. Administrators can store malicious HTML or JavaScript that executes in other users' browsers when they view the Activate Changes page or Audit log.

Risk Assessment

An attacker could exploit this vulnerability to inject malicious scripts, potentially leading to user data theft or session hijacking. This poses a significant security risk to the organization and its users.

Recommendation

It is recommended to update Checkmk to the latest version to mitigate this vulnerability. Additionally, monitor change logs for any potential malicious entries.

Original NVD description (English source)

Stored cross-site scripting in the global settings change log in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can change global settings to store malicious HTML or JavaScript in changelog messages that executes in other users' browsers when they view the Activate Changes page or Audit log.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS