Werk #19033: Cross-site scripting in dashlet title
| Component | Setup | ||||||||
| Title | Cross-site scripting in dashlet title | ||||||||
| Date | Mar 3, 2026 | ||||||||
| Level | Trivial Change | ||||||||
| Class | Security Fix | ||||||||
| Compatibility | Compatible - no manual interaction needed | ||||||||
| Checkmk versions & editions |
|
Insufficient sanitization allowed stored XSS attacks in the title links of dashboard dashlets when a user clicked the title of a dashlet on an attacker-controlled dashboard. In order to exploit the issue, the attacker needed to be able to create and share a dashboard with the victim (e.g. by making it public), and the victim would need to click on the link.
Links are now sanitized appropriately to disallow running Javascript code. Note that it is still possible to make title links point to arbitrary websites.
We thank Alex Williams (Pellera Technologies) for reporting this issue.
Who's Affected:
This issue affect all editions of Checkmk in the default configuration.
Affected Versions:
- 2.4.0
- 2.3.0
- 2.2.0 (EOL)
Mitigations:
Avoid clicking dashboard title links on untrusted dashboards.
Vulnerability Management:
We have rated the issue with a CVSS Score of 8.5 High (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N) and assigned CVE-2026-3466.