Explore the latest product updates and best practices at our hybrid Checkmk Conference #12 from June 16-18, 2026 – Register here
back to website

Werk #19525: Fix XSS in Unified Search via unescaped host/service names

Component User interface
Title Fix XSS in Unified Search via unescaped host/service names
Date Mar 23, 2026
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.6.0b1
Not yet released 		Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Ultimate MT
2.5.0b2 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Ultimate MT

A stored cross-site scripting (XSS) vulnerability in the Unified Search feature allowed authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other users performing searches.

This issue has now been fixed.

Details

Unified Search did not properly sanitize host and service names before rendering them in search results. An attacker could create a host or service with a crafted name containing malicious JavaScript, which would execute when another user viewed the entry in search results.

Who is Affected

All editions of Checkmk in all configurations are affected.

Affected Checkmk Versions

  • 2.5.0

Vulnerability Management

We have rated the issue with a CVSS Score of 8.6 High (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N) and assigned CVE-2026-33276.

This issue was found by internal review.

To the list of all Werks