This vulnerability (CVE-2026-3466) in Checkmk products involves improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization of dashboard dashlet title links. Attackers with dashboard creation privileges can store malicious scripts in these links, which execute when other users click them on shared dashboards. Affected versions include Checkmk 2.2.0 (EOL), 2.3.0 prior to 2.3.0p46, 2.4.0 prior to 2.4.0p25, and 2.5.0 beta prior to 2.5.0b3. The vulnerability allows for stored XSS attacks that can compromise confidentiality, integrity, and availability of the affected system's web interface. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond dashboard creation, user interaction required, and high impact on confidentiality, integrity, and availability. No official patch or remediation level is currently documented.

Successful exploitation allows an attacker with dashboard creation privileges to execute stored cross-site scripting attacks by embedding malicious scripts in dashlet title links. This can lead to unauthorized actions performed in the context of other users who click the crafted links, potentially compromising confidentiality, integrity, and availability of the affected Checkmk web interface. The vulnerability requires user interaction (clicking the malicious link) and privileges to create dashboards, limiting the attack surface to authorized users with those privileges. No known exploits in the wild have been reported to date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict dashboard creation privileges to trusted users only to reduce the risk of exploitation. Monitor vendor communications for updates on patches or official mitigations. Avoid clicking on suspicious dashlet title links in shared dashboards.