Explore the latest product updates and best practices at our hybrid Checkmk Conference #12 from June 16-18, 2026 – Register here
back to website

Werk #20002: XSS in urls

Component Setup
Title XSS in urls
Date May 18, 2026
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.5.0p5 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.4.0p31 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.3.0p48 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Ultimate MT

The function to determine if a URL is allowed or not did not consider html encoded characters. This made it possible to circumvent this mechanism and inject malicious URLs, e.g. javascript:alert(...).

Who is Affected

All editions in all configurations are affected.

Affected Checkmk Versions

  • 2.5.0
  • 2.4.0
  • 2.3.0

Vulnerability Management

We have rated the issue with a CVSS Score of 8.5 high (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N) and assigned CVE-2026-8833.

We thank Arvato Systems Offensive Security team for reporting this issue.

To the list of all Werks