CVE-2026-7186 HIGH

CVE-2026-7186: Fix stored XSS in URL dashboard widget via dangerous URI schemes

Vendor Checkmk Gmbh
Product Checkmk
Weakness CWE-79 · XSS
Published June 8, 2026
Last update June 8, 2026
View on NVD All CVEs

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N

What the vulnerability does

01Description

Stored cross-site scripting in the URL dashboard widget in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the dashboard.

Key dates

02Disclosure timeline

June 8, 2026 CVE published
June 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-41789 Unauthenticated Admin Account Takeover Via XSS CVE-2025-26653 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) CVE-2021-24502 WP Google Map < 1.7.7 - Authenticated Stored Cross-Site Scripting (XSS) CVE-2025-30941 WordPress Pinterest Verify Meta Tag plugin <= 1.3 - Cross Site Scripting (XSS) Vulnerability CVE-2026-6247 scratchblocks for WP <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'element' Shortcode Attribute