Explore the latest product updates and best practices at our hybrid Checkmk Conference #12 from June 16-18, 2026 – Register here
back to website

Werk #17991: Fix stored XSS in URL dashboard widget via dangerous URI schemes

Component User interface
Title Fix stored XSS in URL dashboard widget via dangerous URI schemes
Date Apr 29, 2026
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.5.0p5 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.4.0p31 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.3.0p48 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Ultimate MT

Previously, the URL widget accepted any URI scheme. A user permitted to edit dashboards could store a URL with a dangerous scheme that, when rendered, executed scripts in another viewer's browser session.

A victim is exposed when the malicious dashboard is shared with them and they open it, for example via Customize > Dashboards or the Monitor menu.

The widget now only accepts http and https URLs. Existing dashboards with valid URLs continue to work; any others display "Invalid URL" instead.

Affected Versions:

  • 2.5.0
  • 2.4.0
  • 2.3.0
  • 2.2.0 (EOL)

Vulnerability Management:

We have rated this issue with a CVSS score of 8.5 / High (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N) and assigned CVE-2026-7186.

This issue was found during internal review.

To the list of all Werks