Explore the latest product updates and best practices at our hybrid Checkmk Conference #12 from June 16-18, 2026 – Register here
back to website

Werk #19583: Cross-site scripting in widget title link (incomplete prior fix)

Component Setup
Title Cross-site scripting in widget title link (incomplete prior fix)
Date Apr 15, 2026
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.6.0b1
Not yet released 		Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.5.0 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT

This is a follow-up for an incomplete fix in Werk 19033. Certain dashboard widgets still exposed the vulnerable behavior.

Note that only the fix for the 2.5.0 beta version was incomplete. Werk 19033 did fix the issue in Checkmk 2.4.0 and 2.3.0.

Who is Affected

This issue affects all editions of Checkmk in the default configuration.

Affected Checkmk Versions

  • 2.5.0 (beta)

Vulnerability Management

We have rated the issue with a CVSS Score of 8.5 High (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N) and updated CVE-2026-3466 to reflect the correct fix version.

To the list of all Werks