wid-sec-w-2026-1050 · Published 2026-04-09 · View on BSI CERT-Bund ↗

Checkmk: Multiple Vulnerabilities

CVSS N/A NONE

Risk Summary

Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in search filter plugins. Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description. Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26, and <2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name parameter due to insufficient sanitization of the service description value.

CVEs (3)

CVE-2026-33455 CVE-2026-33456 CVE-2026-33457

Affected Vendors

Checkmk

Affected Products (8)

Checkmk · Checkmk <2.6.0b1

Checkmk · Checkmk 2.6.0b1

Checkmk · Checkmk <2.5.0b4

Checkmk · Checkmk 2.5.0b4

Checkmk · Checkmk <2.4.0p26

Checkmk · Checkmk 2.4.0p26

Checkmk · Checkmk <2.3.0p47

Checkmk · Checkmk 2.3.0p47

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more