CVE-2026-8833
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk15th percentile - higher than 15% of all known CVEs
Summary
In Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions, there is improper neutralization of HTML-encoded characters in the URL validation function. This allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, leading to cross-site scripting when another user interacts with the crafted link.
Risk Assessment
The organization may be exposed to cross-site scripting attacks, which can lead to user data theft or session hijacking. Exploitation of this vulnerability may also impact the organization's reputation and user trust.
Recommendation
It is recommended to update Checkmk to the latest version to eliminate this vulnerability. Additionally, conducting a security audit of the application is advisable to identify and remediate other potential vulnerabilities.
Original NVD description (English source)
Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another user interacts with the crafted link.

