Total
95 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-20915 | 1 Checkmk | 1 Checkmk | 2026-04-02 | N/A | 5.4 MEDIUM |
| Stored cross-site scripting (XSS) in Checkmk version 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create pending changes to inject malicious JavaScript into the Pending Changes sidebar, which will execute in the browsers of other users viewing the sidebar. | |||||
| CVE-2026-33276 | 1 Checkmk | 1 Checkmk | 2026-04-02 | N/A | 5.4 MEDIUM |
| Stored cross-site scripting (XSS) in Checkmk 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other users performing searches in the Unified Search feature. | |||||
| CVE-2026-24097 | 1 Checkmk | 1 Checkmk | 2026-03-18 | N/A | 4.3 MEDIUM |
| Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows authenticated users to enumerate existing hosts by observing different HTTP response codes in agent-receiver/register_existing endpoint, which could lead to information disclosure. | |||||
| CVE-2026-2859 | 1 Checkmk | 1 Checkmk | 2026-03-18 | N/A | 4.3 MEDIUM |
| Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows unauthenticated users to enumerate existing hosts by observing different HTTP response codes in deploy_agent endpoint, which could lead to information disclosure. | |||||
| CVE-2026-3103 | 1 Checkmk | 1 Checkmk | 2026-03-05 | N/A | 5.4 MEDIUM |
| A logic error in the remove_password() function in Checkmk GmbH's Checkmk versions <2.4.0p23, <2.3.0p43, and 2.2.0 (EOL) allows a low-privileged user to cause data loss. | |||||
| CVE-2025-64999 | 1 Checkmk | 1 Checkmk | 2026-03-05 | N/A | 5.4 MEDIUM |
| Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link. | |||||
| CVE-2025-65000 | 1 Checkmk | 1 Checkmk | 2025-12-23 | N/A | 5.3 MEDIUM |
| SSH private keys of the "Remote alert handlers (Linux)" rule were exposed in the rule page's HTML source in Checkmk <= 2.4.0p18 and all versions of Checkmk 2.3.0. This potentially allowed unauthorized triggering of predefined alert handlers on hosts where the handler was deployed. | |||||
| CVE-2025-64997 | 1 Checkmk | 1 Checkmk | 2025-12-23 | N/A | 6.5 MEDIUM |
| Insufficient permission validation in Checkmk versions prior to 2.4.0p17 and 2.3.0p42 allow low-privileged users to view agent information via the REST API, which could lead to information disclosure. | |||||
| CVE-2025-32916 | 1 Checkmk | 1 Checkmk | 2025-12-04 | N/A | 4.3 MEDIUM |
| Potential use of sensitive information in GET requests in Checkmk GmbH's Checkmk versions <2.4.0p13, <2.3.0p38, <2.2.0p46, and 2.1.0 (EOL) may cause sensitive form data to be included in URL query parameters, which may be logged in various places such as browser history or web server logs. | |||||
| CVE-2025-32919 | 1 Checkmk | 1 Checkmk | 2025-12-04 | N/A | 7.8 HIGH |
| Use of an insecure temporary directory in the Windows License plugin for the Checkmk Windows Agent allows Privilege Escalation. This issue affects Checkmk: from 2.4.0 before 2.4.0p13, from 2.3.0 before 2.3.0p38, from 2.2.0 before 2.2.0p46, and all versions of 2.1.0 (EOL). | |||||
| CVE-2025-39664 | 1 Checkmk | 1 Checkmk | 2025-12-04 | N/A | 6.5 MEDIUM |
| Insufficient escaping in the report scheduler within Checkmk <2.4.0p13, <2.3.0p38, <2.2.0p46 and 2.1.0 (EOL) allows authenticated attackers to define the storage location of report file pairs beyond their intended root directory. | |||||
| CVE-2025-39663 | 1 Checkmk | 1 Checkmk | 2025-12-03 | N/A | 8.4 HIGH |
| Cross-Site Scripting (XSS) vulnerability in Checkmk's distributed monitoring allows a compromised remote site to inject malicious HTML code into service outputs in the central site. Affecting Checkmk before 2.4.0p14, 2.3.0p39, 2.2.0 and 2.1.0 (eol). | |||||
| CVE-2025-58121 | 1 Checkmk | 1 Checkmk | 2025-11-24 | N/A | 5.4 MEDIUM |
| Insufficient permission validation on multiple REST API endpoints in Checkmk 2.2.0, 2.3.0, and 2.4.0 before version 2.4.0p16 allows low-privileged users to perform unauthorized actions or obtain sensitive information | |||||
| CVE-2025-64996 | 1 Checkmk | 1 Checkmk | 2025-11-24 | N/A | 4.4 MEDIUM |
| In Checkmk versions prior to 2.4.0p16, 2.3.0p41, and all versions of 2.2.0 and older, the mk_inotify plugin creates world-readable and writable files, allowing any local user on the system to read the plugin's output and manipulate it, potentially leading to unauthorized access to or modification of monitoring data. | |||||
| CVE-2025-58122 | 1 Checkmk | 1 Checkmk | 2025-11-24 | N/A | 5.4 MEDIUM |
| Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged users to modify notification parameters via the REST API, which could lead to unauthorized actions or information disclosure. | |||||
| CVE-2024-6163 | 1 Checkmk | 1 Checkmk | 2025-08-27 | N/A | 5.3 MEDIUM |
| Certain http endpoints of Checkmk in Checkmk < 2.3.0p10 < 2.2.0p31, < 2.1.0p46, <= 2.0.0p39 allows remote attacker to bypass authentication and access data | |||||
| CVE-2025-32915 | 3 Checkmk, Linux, Oracle | 3 Checkmk, Linux Kernel, Solaris | 2025-08-26 | N/A | 5.5 MEDIUM |
| Packages downloaded by Checkmk's automatic agent updates on Linux and Solaris have incorrect permissions in Checkmk < 2.4.0p1, < 2.3.0p32, < 2.2.0p42 and <= 2.1.0p49 (EOL). This allows a local attacker to read sensitive data. | |||||
| CVE-2024-38864 | 2 Checkmk, Microsoft | 2 Checkmk, Windows | 2025-08-25 | N/A | 3.3 LOW |
| Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p23, < 2.2.0p38 and <= 2.1.0p49 (EOL) allows a local attacker to read sensitive data. | |||||
| CVE-2024-6572 | 1 Checkmk | 1 Checkmk | 2025-08-25 | N/A | 7.4 HIGH |
| Improper host key checking in active check 'Check SFTP Service' and special agent 'VNX quotas and filesystem' in Checkmk before Checkmk 2.3.0p15, 2.2.0p33, 2.1.0p48 and 2.0.0 (EOL) allows man-in-the-middle attackers to intercept traffic | |||||
| CVE-2025-3506 | 1 Checkmk | 1 Checkmk | 2025-08-25 | N/A | 5.3 MEDIUM |
| Files to be deployed with agents are accessible without authentication in Checkmk 2.1.0, Checkmk 2.2.0, Checkmk 2.3.0 and <Checkmk 2.4.0b6 allows attacker to access files that could contain secrets. | |||||