CVE-2026-3466
Severity CVSS v4.0:
HIGH
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
07/04/2026
Last modified:
22/04/2026
Description
Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard.
Impact
Base Score 4.0
8.50
Severity 4.0
HIGH
Base Score 3.x
5.40
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:checkmk:checkmk:2.2.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:checkmk:checkmk:2.2.0:b1:*:*:*:*:*:* | ||
| cpe:2.3:a:checkmk:checkmk:2.2.0:b2:*:*:*:*:*:* | ||
| cpe:2.3:a:checkmk:checkmk:2.2.0:b3:*:*:*:*:*:* | ||
| cpe:2.3:a:checkmk:checkmk:2.2.0:b4:*:*:*:*:*:* | ||
| cpe:2.3:a:checkmk:checkmk:2.2.0:b5:*:*:*:*:*:* | ||
| cpe:2.3:a:checkmk:checkmk:2.2.0:b6:*:*:*:*:*:* | ||
| cpe:2.3:a:checkmk:checkmk:2.2.0:b7:*:*:*:*:*:* | ||
| cpe:2.3:a:checkmk:checkmk:2.2.0:b8:*:*:*:*:*:* | ||
| cpe:2.3:a:checkmk:checkmk:2.2.0:i1:*:*:*:*:*:* | ||
| cpe:2.3:a:checkmk:checkmk:2.2.0:p1:*:*:*:*:*:* | ||
| cpe:2.3:a:checkmk:checkmk:2.2.0:p10:*:*:*:*:*:* | ||
| cpe:2.3:a:checkmk:checkmk:2.2.0:p11:*:*:*:*:*:* | ||
| cpe:2.3:a:checkmk:checkmk:2.2.0:p12:*:*:*:*:*:* | ||
| cpe:2.3:a:checkmk:checkmk:2.2.0:p13:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page