CVE-2025-64999

UNKNOWN 0.0

Cross-site scripting in HTML logs of Synthetic Monitoring test services

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

10th

Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link.

CWE	CWE-79
Vendor	checkmk gmbh
Product	checkmk
Published	Feb 26, 2026
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for checkmk gmbh checkmk

Be the first to know when new unknown vulnerabilities affecting checkmk gmbh checkmk are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Checkmk GmbH / Checkmk

2.4.0 < 2.4.0p22 2.3.0 < 2.3.0p43

References

NVD ↗ CVE.org ↗ EPSS Data ↗

checkmk.com: https://checkmk.com/werk/19238 github.com: https://github.com/sbaresearch/advisories/tree/e72ce9bb6b9ffffc1fc35e4d8152ad153293c851/2025/SBA-ADV-20251118-01_Checkmk_Cross_Site_Scripting

Credits

🔍 Lisa Gnedt (SBA Research)