CVE-2026-3466 HIGH

CVE-2026-3466: Cross-site scripting in dashlet title

Vendor Checkmk Gmbh

Product Checkmk

Weakness CWE-79 · XSS

Published April 7, 2026

Last update April 22, 2026

View on NVD All CVEs

CVSS base score

8.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N

What the vulnerability does

01Description

Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard.

Key dates

02Disclosure timeline

April 7, 2026 CVE published

April 22, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-3466 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2026-3466

CWE CWE-79

CVSS 8.5 / HIGH

Affected versions

Vendor Checkmk Gmbh

Product Checkmk

Affected 2.2.0

Vendor Checkmk Gmbh

Product Checkmk

Affected ≥ 2.3.0 and < 2.3.0p46

Vendor Checkmk Gmbh

Product Checkmk

Affected ≥ 2.4.0 and < 2.4.0p25

Vendor Checkmk Gmbh

Product Checkmk

Affected ≥ 2.5.0b1 and < 2.5.0

CVE-2026-3466: Cross-site scripting in dashlet title

01Description

02Disclosure timeline

03References

04Related CVE