Checkmk Gmbh Checkmk vulnerabilities
80 known vulnerabilities affecting checkmk_gmbh/checkmk.
Total CVEs
80
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH31MEDIUM43LOW5
Vulnerabilities
Page 4 of 4
CVE-2025-2596P4MEDIUMCVSS 5.3≥ 2.4.0, < 2.4.0b2≥ 2.3.0, < 2.3.0p30+2 more2025-03-26
CVE-2025-2596 [MEDIUM] CWE-613 CVE-2025-2596: Session logout could be overwritten in Checkmk GmbH's Checkmk versions <2.3.0p30, <2.2.0p41, and 2.1
Session logout could be overwritten in Checkmk GmbH's Checkmk versions <2.3.0p30, <2.2.0p41, and 2.1.0p49 (EOL)
nvd
CVE-2023-22348P4MEDIUMCVSS 4.3≥ 2.2.0, < 2.2.0b8≥ 2.1.0, < 2.1.0p282023-05-17
CVE-2023-22348 [MEDIUM] CWE-285 CVE-2023-22348: Improper Authorization in RestAPI in Checkmk GmbH's Checkmk versions <2.1.0p28 and <2.2.0b8 allows r
Improper Authorization in RestAPI in Checkmk GmbH's Checkmk versions <2.1.0p28 and <2.2.0b8 allows remote authenticated users to read arbitrary host_configs.
nvd
CVE-2024-38858P4MEDIUMCVSS 6.1≥ 2.3.0, < 2.3.0p142024-09-02
CVE-2024-38858 [MEDIUM] CWE-79 CVE-2024-38858: Improper neutralization of input in Checkmk before version 2.3.0p14 allows attackers to inject and r
Improper neutralization of input in Checkmk before version 2.3.0p14 allows attackers to inject and run malicious scripts in the Robotmk logs view.
nvd
CVE-2025-32915P4MEDIUMCVSS 5.5≥ 2.4.0, < 2.4.0p1≥ 2.3.0, < 2.3.0p32+2 more2025-05-22
CVE-2025-32915 [MEDIUM] CWE-732 CVE-2025-32915: Packages downloaded by Checkmk's automatic agent updates on Linux and Solaris have incorrect permiss
Packages downloaded by Checkmk's automatic agent updates on Linux and Solaris have incorrect permissions in Checkmk < 2.4.0p1, < 2.3.0p32, < 2.2.0p42 and <= 2.1.0p49 (EOL). This allows a local attacker to read sensitive data.
nvd
CVE-2026-20915P4MEDIUMCVSS 5.4≥ 2.5.0b1, < 2.5.0b22026-03-31
CVE-2026-20915 [MEDIUM] CWE-79 CVE-2026-20915: Stored cross-site scripting (XSS) in Checkmk version 2.5.0 (beta) before 2.5.0b2 allows authenticate
Stored cross-site scripting (XSS) in Checkmk version 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create pending changes to inject malicious JavaScript into the Pending Changes sidebar, which will execute in the browsers of other users viewing the sidebar.
nvd
CVE-2023-23548P4MEDIUMCVSS 6.1≥ 2.2.0, < 2.2.0p8≥ 2.1.0, < 2.1.0p32+2 more2023-08-01
CVE-2023-23548 [MEDIUM] CWE-80 CVE-2023-23548: Reflected XSS in business intelligence in Checkmk <2.2.0p8, <2.1.0p32, <2.0.0p38, <=1.6.0p30.
Reflected XSS in business intelligence in Checkmk <2.2.0p8, <2.1.0p32, <2.0.0p38, <=1.6.0p30.
nvd
CVE-2024-47094P4MEDIUMCVSS 5.5≥ 2.3.0, < 2.3.0p22≥ 2.2.0, < 2.2.0p37+1 more2024-11-29
CVE-2024-47094 [MEDIUM] CWE-532 CVE-2024-47094: Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p22, <2.2.
Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p22, <2.2.0p37, <2.1.0p50 (EOL) causes remote site secrets to be written to web log files accessible to local site users.
nvd
CVE-2026-2859P4MEDIUMCVSS 4.3≥ 2.4.0, < 2.4.0p23≥ 2.3.0, < 2.3.0p43+1 more2026-03-13
CVE-2026-2859 [MEDIUM] CWE-204 CVE-2026-2859: Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, an
Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows unauthenticated users to enumerate existing hosts by observing different HTTP response codes in deploy_agent endpoint, which could lead to information disclosure.
nvd
CVE-2026-24097P4MEDIUMCVSS 4.3≥ 2.4.0, < 2.4.0p23≥ 2.3.0, < 2.3.0p43+1 more2026-03-13
CVE-2026-24097 [MEDIUM] CWE-204 CVE-2026-24097: Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, an
Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows authenticated users to enumerate existing hosts by observing different HTTP response codes in agent-receiver/register_existing endpoint, which could lead to information disclosure.
nvd
CVE-2024-28832P4MEDIUMCVSS 4.8≥ 2.3.0, < 2.3.0p7≥ 2.2.0, < 2.2.0p28+2 more2024-06-25
CVE-2024-28832 [MEDIUM] CWE-80 CVE-2024-28832: Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7, 2.2.0p28, 2.1.0p45, and 2.0.
Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows users with permission to change Global Settings to execute arbitrary scripts by injecting HTML elements into the Crash Report URL in the Global Settings.
nvd
CVE-2026-8078P4MEDIUMCVSS 4.8≥ 2.5.0, < 2.5.0p5≥ 2.4.0, < 2.4.0p31+2 more2026-06-08
CVE-2026-8078 [MEDIUM] CWE-79 CVE-2026-8078: Stored cross-site scripting in the global settings change log in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0
Stored cross-site scripting in the global settings change log in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can change global settings to store malicious HTML or JavaScript in changelog messages that executes in other users' browsers when they view the Activate Changes page or Audit log.
nvd
CVE-2026-9549P4MEDIUMCVSS 4.8≥ 2.5.0, < 2.5.0p5≥ 2.4.0, < 2.4.0p31+2 more2026-06-08
CVE-2026-9549 [MEDIUM] CWE-79 CVE-2026-9549: Stored cross-site scripting in the service discovery active check output in Checkmk <2.5.0p5, <2.4.0
Stored cross-site scripting in the service discovery active check output in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an admin or a user with host read permissions when they run
nvd
CVE-2025-64996P4MEDIUMCVSS 4.4≥ 2.4.0, < 2.4.0p16≥ 2.3.0, < 2.3.0p41+2 more2025-11-18
CVE-2025-64996 [MEDIUM] CWE-732 CVE-2025-64996: In Checkmk versions prior to 2.4.0p16, 2.3.0p41, and all versions of 2.2.0 and older, the mk_inotify
In Checkmk versions prior to 2.4.0p16, 2.3.0p41, and all versions of 2.2.0 and older, the mk_inotify plugin creates world-readable and writable files, allowing any local user on the system to read the plugin's output and manipulate it, potentially leading to unauthorized access to or modification of monitoring data.
nvd
CVE-2025-32916P4MEDIUMCVSS 4.3≥ 2.4.0, < 2.4.0p13≥ 2.3.0, < 2.3.0p38+2 more2025-10-09
CVE-2025-32916 [MEDIUM] CWE-598 CVE-2025-32916: Potential use of sensitive information in GET requests in Checkmk GmbH's Checkmk versions <2.4.0p13,
Potential use of sensitive information in GET requests in Checkmk GmbH's Checkmk versions <2.4.0p13, <2.3.0p38, <2.2.0p46, and 2.1.0 (EOL) may cause sensitive form data to be included in URL query parameters, which may be logged in various places such as browser history or web server logs.
nvd
CVE-2024-38862P4MEDIUMCVSS 4.4≥ 2.0.0, ≤ 2.0.0p39≥ 2.1.0, < 2.1.0p48+2 more2024-10-14
CVE-2024-38862 [MEDIUM] CWE-532 CVE-2024-38862: Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p18, <2.2.
Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p18, <2.2.0p35, <2.1.0p48 and <=2.0.0p39 (EOL) causes SNMP and IMPI secrets of host and folder properties to be written to audit log files accessible to administrators.
nvd
CVE-2023-6251P4LOWCVSS 3.5≥ 2.0.0, ≤ 2.0.0p39≥ 2.1.0, < 2.1.0p37+1 more2023-11-24
CVE-2023-6251 [LOW] CWE-352 CVE-2023-6251: Cross-site Request Forgery (CSRF) in Checkmk < 2.2.0p15, < 2.1.0p37, <= 2.0.0p39 allow an authentica
Cross-site Request Forgery (CSRF) in Checkmk < 2.2.0p15, < 2.1.0p37, <= 2.0.0p39 allow an authenticated attacker to delete user-messages for individual users.
nvd
CVE-2024-1742P4LOWCVSS 3.3≥ 2.3.0, < 2.3.0b4≥ 2.2.0, < 2.2.0p24+2 more2024-03-22
CVE-2024-1742 [LOW] CWE-214 CVE-2024-1742: Invocation of the sqlplus command with sensitive information in the command line in the mk_oracle Ch
Invocation of the sqlplus command with sensitive information in the command line in the mk_oracle Checkmk agent plugin before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows the extraction of this information from the process list.
nvd
CVE-2024-38864P4LOWCVSS 3.3≥ 2.3.0, < 2.3.0p23≥ 2.2.0, < 2.2.0p38+1 more2024-12-19
CVE-2024-38864 [LOW] CWE-732 CVE-2024-38864: Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p23, < 2.2.0p3
Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p23, < 2.2.0p38 and <= 2.1.0p49 (EOL) allows a local attacker to read sensitive data.
nvd
CVE-2024-28830P4LOWCVSS 2.7≥ 2.3.0, < 2.3.0p7≥ 2.2.0, < 2.2.0p28+2 more2024-06-26
CVE-2024-28830 [LOW] CWE-532 CVE-2024-28830: Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p7, <2.2.0
Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p7, <2.2.0p28, <2.1.0p45 and <=2.0.0p39 (EOL) causes automation user secrets to be written to audit log files accessible to administrators.
nvd
CVE-2023-23549P4LOWCVSS 2.7≥ 2.2.0, < 2.2.0p15≥ 2.1.0, < 2.1.0p37+1 more2023-11-15
CVE-2023-23549 [LOW] CWE-1284 CVE-2023-23549: Improper Input Validation in Checkmk <2.2.0p15, <2.1.0p37, <=2.0.0p39 allows priviledged attackers t
Improper Input Validation in Checkmk <2.2.0p15, <2.1.0p37, <=2.0.0p39 allows priviledged attackers to cause partial denial of service of the UI via too long hostnames.
nvd
← Previous4 / 4