Checkmk Gmbh Checkmk vulnerabilities
80 known vulnerabilities affecting checkmk_gmbh/checkmk.
Total CVEs
80
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH31MEDIUM43LOW5
Vulnerabilities
Page 1 of 4
CVE-2024-28825P2CRITICALCVSS 9.8≥ 2.3.0, < 2.3.0b5≥ 2.2.0, < 2.2.0p26+2 more2024-04-24
CVE-2024-28825 [CRITICAL] CWE-307 CVE-2024-28825: Improper restriction of excessive authentication attempts on some authentication methods in Checkmk
Improper restriction of excessive authentication attempts on some authentication methods in Checkmk before 2.3.0b5 (beta), 2.2.0p26, 2.1.0p43, and in Checkmk 2.0.0 (EOL) facilitates password brute-forcing.
nvd
CVE-2025-1712P3HIGHCVSS 8.8≥ 2.4.0, < 2.4.0p1≥ 2.3.0, < 2.3.0p32+2 more2025-05-21
CVE-2025-1712 [HIGH] CWE-88 CVE-2025-1712: Argument injection in special agent configuration in Checkmk <2.4.0p1, <2.3.0p32, <2.2.0p42 and 2.1.
Argument injection in special agent configuration in Checkmk <2.4.0p1, <2.3.0p32, <2.2.0p42 and 2.1.0 allows authenticated attackers to write arbitrary files
nvd
CVE-2024-8606P3HIGHCVSS 8.8≥ 2.3.0, < 2.3.0p16≥ 2.2.0, < 2.2.0p342024-09-23
CVE-2024-8606 [HIGH] CWE-863 CVE-2024-8606: Bypass of two factor authentication in RestAPI in Checkmk < 2.3.0p16 and < 2.2.0p34 allows authentic
Bypass of two factor authentication in RestAPI in Checkmk < 2.3.0p16 and < 2.2.0p34 allows authenticated users to bypass two factor authentication
nvd
CVE-2023-6156P3HIGHCVSS 8.8≥ 2.2.0, < 2.2.0p15≥ 2.1.0, < 2.1.0p37+1 more2023-11-22
CVE-2023-6156 [HIGH] CWE-140 CVE-2023-6156: Improper neutralization of livestatus command delimiters in the availability timeline in Checkmk <=
Improper neutralization of livestatus command delimiters in the availability timeline in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users.
nvd
CVE-2024-38865P3HIGHCVSS 8.8≥ 2.3.0, < 2.3.0p25≥ 2.2.0, < 2.2.0p39+1 more2025-04-10
CVE-2024-38865 [HIGH] CWE-140 CVE-2024-38865: Improper neutralization of livestatus command delimiters in a specific endpoint within RestAPI of Ch
Improper neutralization of livestatus command delimiters in a specific endpoint within RestAPI of Checkmk prior to 2.2.0p39, 2.3.0p25, and 2.1.0p51 (EOL) allows arbitrary livestatus command execution. Exploitation requires the attacker to have a contact group assigned to their user account and for an event to originate from a host with the same contac
nvd
CVE-2023-6157P3HIGHCVSS 8.8≥ 2.2.0, < 2.2.0p15≥ 2.1.0, < 2.1.0p37+1 more2023-11-22
CVE-2023-6157 [HIGH] CWE-140 CVE-2023-6157: Improper neutralization of livestatus command delimiters in ajax_search in Checkmk <= 2.0.0p39, < 2.
Improper neutralization of livestatus command delimiters in ajax_search in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users.
nvd
CVE-2025-32918P3HIGHCVSS 8.8≥ 2.4.0, < 2.4.0p6≥ 2.3.0, < 2.3.0p35+2 more2025-07-04
CVE-2025-32918 [HIGH] CWE-140 CVE-2025-32918: Improper neutralization of Livestatus command delimiters in autocomplete endpoint within the RestAPI
Improper neutralization of Livestatus command delimiters in autocomplete endpoint within the RestAPI of Checkmk versions <2.4.0p6, <2.3.0p35, <2.2.0p44, and 2.1.0 (EOL) allows an authenticated user to inject arbitrary Livestatus commands.
nvd
CVE-2023-31208P3HIGHCVSS 8.8≥ 2.2.0, < 2.2.0b8≥ 2.1.0, < 2.1.0p28+1 more2023-05-17
CVE-2023-31208 [HIGH] CWE-140 CVE-2023-31208: Improper neutralization of livestatus command delimiters in the RestAPI in Checkmk < 2.0.0p36, < 2.1
Improper neutralization of livestatus command delimiters in the RestAPI in Checkmk < 2.0.0p36, < 2.1.0p28, and < 2.2.0b8 (beta) allows arbitrary livestatus command execution for authorized users.
nvd
CVE-2023-31209P3HIGHCVSS 8.8≥ 2.2.0, < 2.2.0p4≥ 2.1.0, < 2.1.0p32+1 more2023-08-10
CVE-2023-31209 [HIGH] CWE-78 CVE-2023-31209: Improper neutralization of active check command arguments in Checkmk < 2.1.0p32, < 2.0.0p38, < 2.2.0
Improper neutralization of active check command arguments in Checkmk < 2.1.0p32, < 2.0.0p38, < 2.2.0p4 leads to arbitrary command execution for authenticated users.
nvd
CVE-2025-32917P3HIGHCVSS 8.8≥ 2.4.0, < 2.4.0b7≥ 2.3.0, < 2.3.0p32+2 more2025-05-13
CVE-2025-32917 [HIGH] CWE-427 CVE-2025-32917: Privilege escalation in jar_signature agent plugin in Checkmk versions <2.4.0b7 (beta), <2.3.0p32, <
Privilege escalation in jar_signature agent plugin in Checkmk versions <2.4.0b7 (beta), <2.3.0p32, <2.2.0p42, and 2.1.0p49 (EOL) allow user with write access to JAVA_HOME/bin directory to escalate privileges.
nvd
CVE-2026-24096P3HIGHCVSS 8.8≥ 2.5.0b1, < 2.5.0b2≥ 2.4.0, < 2.4.0p252026-04-01
CVE-2026-24096 [HIGH] CWE-280 CVE-2026-24096: Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 (beta
Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 (beta) before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information
nvd
CVE-2024-28833P3HIGHCVSS 7.5≥ 2.3.0, < 2.3.0p62024-06-10
CVE-2024-28833 [HIGH] CWE-307 CVE-2024-28833: Improper restriction of excessive authentication attempts with two factor authentication methods in
Improper restriction of excessive authentication attempts with two factor authentication methods in Checkmk 2.3 before 2.3.0p6 facilitates brute-forcing of second factor mechanisms.
nvd
CVE-2026-33456P3HIGHCVSS 7.6≥ 2.5.0, < 2.5.0b4≥ 2.4.0, < 2.4.0p262026-04-10
CVE-2026-33456 [HIGH] CWE-140 CVE-2026-33456: Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authe
Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description.
nvd
CVE-2024-28826P3HIGHCVSS 8.1≥ 2.3.0, < 2.3.0p4≥ 2.2.0, < 2.2.0p27+2 more2024-05-29
CVE-2024-28826 [HIGH] CWE-73 CVE-2024-28826: Improper restriction of local upload and download paths in check_sftp in Checkmk before 2.3.0p4, 2.2
Improper restriction of local upload and download paths in check_sftp in Checkmk before 2.3.0p4, 2.2.0p27, 2.1.0p44, and in Checkmk 2.0.0 (EOL) allows attackers with sufficient permissions to configure the check to read and write local files on the Checkmk site server.
nvd
CVE-2025-32919P3HIGHCVSS 7.8≥ 2.4.0, < 2.4.0p13≥ 2.3.0, < 2.3.0p38+2 more2025-10-09
CVE-2025-32919 [HIGH] CWE-427 CVE-2025-32919: Use of an insecure temporary directory in the Windows License plugin for the Checkmk Windows Agent a
Use of an insecure temporary directory in the Windows License plugin for the Checkmk Windows Agent allows Privilege Escalation. This issue affects Checkmk: from 2.4.0 before 2.4.0p13, from 2.3.0 before 2.3.0p38, from 2.2.0 before 2.2.0p46, and all versions of 2.1.0 (EOL).
nvd
CVE-2025-2092P3HIGHCVSS 7.5≥ 2.3.0, < 2.3.0p29≥ 2.2.0, < 2.2.0p41+1 more2025-04-22
CVE-2025-2092 [HIGH] CWE-532 CVE-2025-2092: Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p29, <2.2.
Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p29, <2.2.0p41 and <=2.1.0p49 (EOL) causes remote site authentication secrets to be written to log files accessible to administrators.
nvd
CVE-2024-47091P3HIGHCVSS 7.8≥ 2.4.0, < 2.4.0p29≥ 2.3.0, < 2.3.0p47+1 more2026-05-13
CVE-2024-47091 [HIGH] CWE-427 CVE-2024-47091: Privilege escalation in the mk_mysql agent plugin on Windows in Checkmk <2.4.0p29, <2.3.0p47, and 2.
Privilege escalation in the mk_mysql agent plugin on Windows in Checkmk <2.4.0p29, <2.3.0p47, and 2.2.0 (EOL) allows a local unprivileged user able to create a Windows service whose name matches 'MySQL' or 'MariaDB' (or with write access to a binary referenced by such a service) to execute arbitrary code in the context of the Checkmk agent service, wh
nvd
CVE-2024-28827P3HIGHCVSS 7.8≥ 2.3.0, < 2.3.0p8≥ 2.2.0, < 2.2.0p29+2 more2024-07-10
CVE-2024-28827 [HIGH] CWE-732 CVE-2024-28827: Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p8, < 2.2.0p29
Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) allows a local attacker to gain SYSTEM privileges.
nvd
CVE-2023-31211P3MEDIUMCVSS 6.5≥ 2.2.0, < 2.2.0p18≥ 2.1.0, < 2.1.0p38+1 more2024-01-12
CVE-2023-31211 [MEDIUM] CWE-303 CVE-2023-31211: Insufficient authentication flow in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows attacker t
Insufficient authentication flow in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows attacker to use locked credentials
nvd
CVE-2023-31210P3HIGHCVSS 7.8≥ 2.2.0p10, < 2.2.0p172023-12-13
CVE-2023-31210 [HIGH] CWE-427 CVE-2023-31210: Usage of user controlled LD_LIBRARY_PATH in agent in Checkmk 2.2.0p10 up to 2.2.0p16 allows maliciou
Usage of user controlled LD_LIBRARY_PATH in agent in Checkmk 2.2.0p10 up to 2.2.0p16 allows malicious Checkmk site user to escalate rights via injection of malicious libraries
nvd
1 / 4Next →