cbcvebase.

Checkmk Gmbh Checkmk vulnerabilities

80 known vulnerabilities affecting checkmk_gmbh/checkmk.

Total CVEs
80
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH31MEDIUM43LOW5

Vulnerabilities

Page 3 of 4
CVE-2025-3506P4MEDIUMCVSS 5.3≥ 2.4.0, < 2.4.0b6v2.3.0+2 more2025-05-08
CVE-2025-3506 [MEDIUM] CWE-497 CVE-2025-3506: Files to be deployed with agents are accessible without authentication in Checkmk 2.1.0, Checkmk 2.2 Files to be deployed with agents are accessible without authentication in Checkmk 2.1.0, Checkmk 2.2.0, Checkmk 2.3.0 and <Checkmk 2.4.0b6 allows attacker to access files that could contain secrets.
nvd
CVE-2025-58121P4MEDIUMCVSS 5.4≥ 2.4.0, < 2.4.0p16v2.3.0+1 more2025-11-18
CVE-2025-58121 [MEDIUM] CWE-280 CVE-2025-58121: Insufficient permission validation on multiple REST API endpoints in Checkmk 2.2.0, 2.3.0, and 2.4.0 Insufficient permission validation on multiple REST API endpoints in Checkmk 2.2.0, 2.3.0, and 2.4.0 before version 2.4.0p16 allows low-privileged users to perform unauthorized actions or obtain sensitive information
nvd
CVE-2025-58122P4MEDIUMCVSS 5.4≥ 2.4.0, < 2.4.0p162025-11-18
CVE-2025-58122 [MEDIUM] CWE-280 CVE-2025-58122: Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged us Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged users to modify notification parameters via the REST API, which could lead to unauthorized actions or information disclosure.
nvd
CVE-2026-7765P4MEDIUMCVSS 5.3≥ 2.5.0, < 2.5.0p52026-06-08
CVE-2026-7765 [MEDIUM] CWE-863 CVE-2026-7765: Incorrect authorization in the User Messages dashboard widget in Checkmk <2.5.0p5 causes the message Incorrect authorization in the User Messages dashboard widget in Checkmk <2.5.0p5 causes the message-fetching endpoints to return the dashboard creator's messages rather than the viewer's, allowing an attacker who knows a valid public dashboard share token to read the issuer's personal messages by sending requests to the underlying endpoint, even with
nvd
CVE-2024-0638P4MEDIUMCVSS 6.7≥ 2.3.0, < 2.3.0b4≥ 2.2.0, < 2.2.0p24+2 more2024-03-22
CVE-2024-0638 [MEDIUM] CWE-272 CVE-2024-0638: Least privilege violation in the Checkmk agent plugins mk_oracle, mk_oracle.ps1, and mk_oracle_crs b Least privilege violation in the Checkmk agent plugins mk_oracle, mk_oracle.ps1, and mk_oracle_crs before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges.
nvd
CVE-2024-38859P4MEDIUMCVSS 6.1≥ 2.3.0, < 2.3.0p14≥ 2.2.0, < 2.2.0p33+2 more2024-08-26
CVE-2024-38859 [MEDIUM] CWE-80 CVE-2024-38859: XSS in the view page with the SLA column configured in Checkmk versions prior to 2.3.0p14, 2.2.0p33, XSS in the view page with the SLA column configured in Checkmk versions prior to 2.3.0p14, 2.2.0p33, 2.1.0p47 and 2.0.0 (EOL) allowed malicious users to execute arbitrary scripts by injecting HTML elements into the SLA column title. These scripts could be executed when the view page was cloned by other users.
nvd
CVE-2026-3103P4MEDIUMCVSS 5.4≥ 2.4.0, < 2.4.0p23≥ 2.3.0, < 2.3.0p43+1 more2026-03-04
CVE-2026-3103 [MEDIUM] CWE-863 CVE-2026-3103: A logic error in the remove_password() function in Checkmk GmbH's Checkmk versions <2.4.0p23, <2.3.0 A logic error in the remove_password() function in Checkmk GmbH's Checkmk versions <2.4.0p23, <2.3.0p43, and 2.2.0 (EOL) allows a low-privileged user to cause data loss.
nvd
CVE-2025-65000P4MEDIUMCVSS 5.3≥ 2.4.0, < 2.4.0p18v2.3.02025-12-18
CVE-2025-65000 [MEDIUM] CWE-212 CVE-2025-65000: SSH private keys of the "Remote alert handlers (Linux)" rule were exposed in the rule page's HTML so SSH private keys of the "Remote alert handlers (Linux)" rule were exposed in the rule page's HTML source in Checkmk <= 2.4.0p18 and all versions of Checkmk 2.3.0. This potentially allowed unauthorized triggering of predefined alert handlers on hosts where the handler was deployed.
nvd
CVE-2026-3466P4MEDIUMCVSS 5.4v2.2.0≥ 2.3.0, < 2.3.0p46+2 more2026-04-07
CVE-2026-3466 [MEDIUM] CWE-79 CVE-2026-3466: Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 bef Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link
nvd
CVE-2024-6052P4MEDIUMCVSS 5.4≥ 2.3.0, < 2.3.0p8≥ 2.2.0, < 2.2.0p29+2 more2024-07-03
CVE-2024-6052 [MEDIUM] CWE-80 CVE-2024-6052: Stored XSS in Checkmk before versions 2.3.0p8, 2.2.0p29, 2.1.0p45, and 2.0.0 (EOL) allows users to e Stored XSS in Checkmk before versions 2.3.0p8, 2.2.0p29, 2.1.0p45, and 2.0.0 (EOL) allows users to execute arbitrary scripts by injecting HTML elements
nvd
CVE-2024-28831P4MEDIUMCVSS 5.4≥ 2.3.0, < 2.3.0p7≥ 2.2.0, < 2.2.0p282024-06-25
CVE-2024-28831 [MEDIUM] CWE-80 CVE-2024-28831: Stored XSS in some confirmation pop-ups in Checkmk before versions 2.3.0p7 and 2.2.0p28 allows Check Stored XSS in some confirmation pop-ups in Checkmk before versions 2.3.0p7 and 2.2.0p28 allows Checkmk users to execute arbitrary scripts by injecting HTML elements into some user input fields that are shown in a confirmation pop-up.
nvd
CVE-2025-64999P4MEDIUMCVSS 5.4≥ 2.4.0, < 2.4.0p22≥ 2.3.0, < 2.3.0p432026-02-26
CVE-2025-64999 [MEDIUM] CWE-79 CVE-2025-64999: Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p4 Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link.
nvd
CVE-2026-8833P4MEDIUMCVSS 5.4≥ 2.5.0, < 2.5.0p5≥ 2.4.0, < 2.4.0p31+2 more2026-06-08
CVE-2026-8833 [MEDIUM] CWE-79 CVE-2026-8833: Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk <2.5.0p Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another user interacts with the crafted link.
nvd
CVE-2026-7186P4MEDIUMCVSS 5.4≥ 2.5.0, < 2.5.0p5≥ 2.4.0, < 2.4.0p31+2 more2026-06-08
CVE-2026-7186 [MEDIUM] CWE-79 CVE-2026-7186: Stored cross-site scripting in the URL dashboard widget in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, a Stored cross-site scripting in the URL dashboard widget in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the dashboard.
nvd
CVE-2024-38860P4MEDIUMCVSS 6.1≥ 2.2.0, < 2.2.0p34≥ 2.3.0, < 2.3.0p162024-09-17
CVE-2024-38860 [MEDIUM] CWE-79 CVE-2024-38860: Improper neutralization of input in Checkmk before versions 2.3.0p16 and 2.2.0p34 allows attackers t Improper neutralization of input in Checkmk before versions 2.3.0p16 and 2.2.0p34 allows attackers to craft malicious links that can facilitate phishing attacks.
nvd
CVE-2024-38857P4MEDIUMCVSS 6.1≥ 2.3.0, < 2.3.0p8≥ 2.2.0, < 2.2.0p28+2 more2024-07-02
CVE-2024-38857 [MEDIUM] CWE-79 CVE-2024-38857: Improper neutralization of input in Checkmk before versions 2.3.0p8, 2.2.0p28, 2.1.0p45, and 2.0.0 ( Improper neutralization of input in Checkmk before versions 2.3.0p8, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows attackers to craft malicious links that can facilitate phishing attacks.
nvd
CVE-2024-3367P4MEDIUMCVSS 5.5≥ 2.3.0, < 2.3.0b5≥ 2.2.0, < 2.2.0p26+2 more2024-04-16
CVE-2024-3367 [MEDIUM] CWE-88 CVE-2024-3367: Argument injection in websphere_mq agent plugin in Checkmk 2.0.0, 2.1.0, <2.2.0p26 and <2.3.0b5 allo Argument injection in websphere_mq agent plugin in Checkmk 2.0.0, 2.1.0, <2.2.0p26 and <2.3.0b5 allows local attacker to inject one argument to runmqsc
nvd
CVE-2024-2380P4MEDIUMCVSS 5.4≥ 2.3.0, < 2.3.0b42024-04-05
CVE-2024-2380 [MEDIUM] CWE-80 CVE-2024-2380: Stored XSS in graph rendering in Checkmk <2.3.0b4. Stored XSS in graph rendering in Checkmk <2.3.0b4.
nvd
CVE-2024-5741P4MEDIUMCVSS 5.4≥ 2.3.0, < 2.3.0p7≥ 2.2.0, < 2.2.0p28+1 more2024-06-17
CVE-2024-5741 [MEDIUM] CWE-80 CVE-2024-5741: Stored XSS in inventory tree rendering in Checkmk before 2.3.0p7, 2.2.0p28, 2.1.0p45 and 2.0.0 (EOL) Stored XSS in inventory tree rendering in Checkmk before 2.3.0p7, 2.2.0p28, 2.1.0p45 and 2.0.0 (EOL)
nvd
CVE-2026-33276P4MEDIUMCVSS 5.4≥ 2.5.0b1, < 2.5.0b22026-03-31
CVE-2026-33276 [MEDIUM] CWE-79 CVE-2026-33276: Stored cross-site scripting (XSS) in Checkmk 2.5.0 (beta) before 2.5.0b2 allows authenticated users Stored cross-site scripting (XSS) in Checkmk 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other users performing searches in the Unified Search feature.
nvd
Checkmk Gmbh Checkmk vulnerabilities | cvebase