CVE-2026-20915 HIGH

CVE-2026-20915: Stored cross-site scripting in Pending Changes sidebar

Vendor Checkmk Gmbh

Product Checkmk

Weakness CWE-79 · XSS

Published March 31, 2026

Last update March 31, 2026

View on NVD All CVEs

CVSS base score

8.5/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N

What the vulnerability does

01Description

Stored cross-site scripting (XSS) in Checkmk version 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create pending changes to inject malicious JavaScript into the Pending Changes sidebar, which will execute in the browsers of other users viewing the sidebar.

Key dates

02Disclosure timeline

March 31, 2026 CVE published

March 31, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-20915

Related vulnerabilities

04Related CVE

CVE-2025-8211 Roothub SystemConfigAdminController.java edit cross site scripting CVE-2024-13590 Ketchup Shortcodes <= 0.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-46965 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2023-1243 Cross-site Scripting (XSS) - Stored in answerdev/answer CVE-2023-47854 WordPress Parallax Image Plugin <= 1.7.1 is vulnerable to Cross Site Scripting (XSS)