wid-sec-w-2026-0983 · Published 2026-04-06 · View on BSI CERT-Bund ↗

Checkmk: Multiple Vulnerabilities

CVSS 9.3 CRITICAL

Risk Summary

Local privilege escalation in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows a site user to escalate their privileges to root, by manipulating files in the site context that are processed when the `omd` administrative command is run by root. Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard.

CVEs (2)

CVE-2025-39666 CVE-2026-3466

Affected Vendors

Checkmk

Affected Products (8)

Checkmk · Checkmk <2.6.0b1

Checkmk · Checkmk 2.6.0b1

Checkmk · Checkmk <2.5.0b3

Checkmk · Checkmk 2.5.0b3

Checkmk · Checkmk <2.4.0p25

Checkmk · Checkmk 2.4.0p25

Checkmk · Checkmk <2.3.0p46

Checkmk · Checkmk 2.3.0p46

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more