Explore the latest product updates and best practices at our hybrid Checkmk Conference #12 from June 16-18, 2026 – Register here
back to website

Werk #17992: Fix stored XSS in global settings change log

Component Setup
Title Fix stored XSS in global settings change log
Date May 8, 2026
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.5.0p5 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.4.0p31 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.3.0p48 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Ultimate MT

Previously, when a global setting was changed, the new value was embedded into the change log message without proper HTML escaping. This allowed malicious HTML or JavaScript to be stored and later executed when viewing the Activate Changes page or the Audit log.

By default, only admin users have permission to change global settings.

Affected Versions:

  • 2.5.0
  • 2.4.0
  • 2.3.0
  • 2.2.0 (EOL)

Vulnerability Management:

We have rated the issue with a CVSS score of 4.8 (Medium) with the following CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N, and assigned CVE-2026-8078.

This issue was found during internal review.

To the list of all Werks