CVE-2026-3466: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Checkmk GmbH Checkmk
Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard.
AI Analysis
Technical Summary
This vulnerability involves improper neutralization of input during web page generation (CWE-79) in Checkmk dashboard dashlet title links. Versions 2.2.0 (EOL), 2.3.0 before 2.3.0p46, 2.4.0 before 2.4.0p25, and 2.5.0 beta before 2.5.0 allow an attacker with dashboard creation privileges to inject stored XSS payloads. When a victim clicks the crafted dashlet title link on a shared dashboard, the malicious script executes in their browser, potentially leading to high-impact consequences such as session hijacking or privilege escalation within the web application context. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond dashboard creation, user interaction required, and high impact on confidentiality, integrity, and availability. No official patch or remediation guidance is currently provided by the vendor.
Potential Impact
Successful exploitation allows stored cross-site scripting attacks, enabling attackers to execute arbitrary scripts in the context of the victim's browser session within Checkmk. This can lead to theft of sensitive information, session hijacking, or manipulation of the web application interface. The vulnerability requires the attacker to have dashboard creation privileges and the victim to interact by clicking the crafted link. The high CVSS score reflects the significant potential impact on confidentiality, integrity, and availability of the affected system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict dashboard creation privileges to trusted users only and educate users to avoid clicking untrusted dashlet title links on shared dashboards. Monitor vendor communications for updates on patches or official mitigations.
CVE-2026-3466: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Checkmk GmbH Checkmk
Description
Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves improper neutralization of input during web page generation (CWE-79) in Checkmk dashboard dashlet title links. Versions 2.2.0 (EOL), 2.3.0 before 2.3.0p46, 2.4.0 before 2.4.0p25, and 2.5.0 beta before 2.5.0 allow an attacker with dashboard creation privileges to inject stored XSS payloads. When a victim clicks the crafted dashlet title link on a shared dashboard, the malicious script executes in their browser, potentially leading to high-impact consequences such as session hijacking or privilege escalation within the web application context. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond dashboard creation, user interaction required, and high impact on confidentiality, integrity, and availability. No official patch or remediation guidance is currently provided by the vendor.
Potential Impact
Successful exploitation allows stored cross-site scripting attacks, enabling attackers to execute arbitrary scripts in the context of the victim's browser session within Checkmk. This can lead to theft of sensitive information, session hijacking, or manipulation of the web application interface. The vulnerability requires the attacker to have dashboard creation privileges and the victim to interact by clicking the crafted link. The high CVSS score reflects the significant potential impact on confidentiality, integrity, and availability of the affected system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict dashboard creation privileges to trusted users only and educate users to avoid clicking untrusted dashlet title links on shared dashboards. Monitor vendor communications for updates on patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Checkmk
- Date Reserved
- 2026-03-03T09:09:01.487Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d4fc92aaed68159a20605c
Added to database: 4/7/2026, 12:46:10 PM
Last enriched: 4/22/2026, 10:46:33 PM
Last updated: 5/22/2026, 10:07:14 AM
Views: 60
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.