Explore the latest product updates and best practices at our hybrid Checkmk Conference #12 from June 16-18, 2026 – Register here
back to website

Werk #19526: Fix XSS in pending changes popup

Component Setup
Title Fix XSS in pending changes popup
Date Mar 23, 2026
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.6.0b1
Not yet released 		Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Ultimate MT
2.5.0b2 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Ultimate MT

A stored cross-site scripting (XSS) vulnerability in the Pending Changes sidebar allowed authenticated users with permission to create changes to execute arbitrary JavaScript in the browsers of other users viewing the sidebar.

This issue has now been fixed.

Details

The Pending Changes sidebar did not properly sanitize change attributes before rendering them. An attacker with permission to create pending changes could embed malicious JavaScript in certain attributes, which would execute when another user opened the sidebar.

Who is Affected

All editions of Checkmk in all configurations are affected.

Affected Checkmk Versions

  • 2.5.0

Vulnerability Management

We have rated the issue with a CVSS Score of 8.5 High (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N) and assigned CVE-2026-20915.

This issue was found by internal review.

To the list of all Werks