CVE-2026-3466

UNKNOWN 0.0

Cross-site scripting in dashlet title

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard.

CWE	CWE-79
Vendor	checkmk gmbh
Product	checkmk
Published	Apr 7, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for checkmk gmbh checkmk

Be the first to know when new unknown vulnerabilities affecting checkmk gmbh checkmk are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Checkmk GmbH / Checkmk

2.2.0 2.3.0 < 2.3.0p46 2.4.0 < 2.4.0p25 2.5.0b1 < 2.5.0b3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

checkmk.com: https://checkmk.com/werk/19033 vulncheck.com: https://www.vulncheck.com/advisories/checkmk-stored-cross-site-scripting-in-dashlet-title

Credits

🔍 Alex Williams (Pellera Technologies)