Explore the latest product updates and best practices at our hybrid Checkmk Conference #12 from June 16-18, 2026 – Register here
back to website

Werk #17993: Fix XSS in service discovery active check output

Component Setup
Title Fix XSS in service discovery active check output
Date May 26, 2026
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.5.0p5 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.4.0p31 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.3.0p48 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Ultimate MT

Previously, when clicking "Run check" for an active or custom check on the service discovery page, the check output was inserted into the page without proper HTML escaping. This allowed malicious HTML or JavaScript to be stored in the check output and later executed when an admin or user with host read permissions triggered the check execution.

By default, only admin users can configure the checks whose output is rendered here.

Affected Versions:

  • 2.5.0
  • 2.4.0
  • 2.3.0
  • 2.2.0 (EOL)

Vulnerability Management:

We have rated the issue with a CVSS score of 4.8 (Medium) with the following CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N, and assigned CVE-2026-9549.

This issue was found during internal review.

To the list of all Werks