CVE-2026-9549 MEDIUM

CVE-2026-9549: Fix XSS in service discovery active check output

Vendor Checkmk Gmbh

Product Checkmk

Weakness CWE-79 · XSS

Published June 8, 2026

Last update June 8, 2026

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

What the vulnerability does

01Description

Stored cross-site scripting in the service discovery active check output in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an admin or a user with host read permissions when they run the check on the service discovery page.

Key dates

02Disclosure timeline

June 8, 2026 CVE published

June 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-9549 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2026-9549

CWE CWE-79

CVSS 4.8 / MEDIUM

Affected versions

Vendor Checkmk Gmbh

Product Checkmk

Affected ≥ 2.5.0 and < 2.5.0p5

Vendor Checkmk Gmbh

Product Checkmk

Affected ≥ 2.4.0 and < 2.4.0p31

Vendor Checkmk Gmbh

Product Checkmk

Affected ≥ 2.3.0 and < 2.3.0p48

Vendor Checkmk Gmbh

Product Checkmk

Affected 2.2.0

CVE-2026-9549: Fix XSS in service discovery active check output

01Description

02Disclosure timeline

03References

04Related CVE