wid-sec-w-2026-0928 · Published 2026-03-30 · View on BSI CERT-Bund ↗

Checkmk: Multiple Vulnerabilities allow Cross-Site Scripting

CVSS 8.6 HIGH

Risk Summary

Stored cross-site scripting (XSS) in Checkmk 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other users performing searches in the Unified Search feature.

CVEs (2)

CVE-2026-20915 CVE-2026-33276

Affected Vendors

Checkmk

Affected Products (4)

Checkmk · Checkmk <2.6.0b1

Checkmk · Checkmk 2.6.0b1

Checkmk · Checkmk <2.5.0b2

Checkmk · Checkmk 2.5.0b2

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more