Medium severity5.4NVD Advisory· Published Apr 7, 2026· Updated Apr 22, 2026

CVE-2026-3466

Description

Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard.

Affected products

142

Checkmk/Checkmk142 versions
cpe:2.3:a:checkmk:checkmk:2.2.0:-:*:*:*:*:*:*+ 141 more
- cpe:2.3:a:checkmk:checkmk:2.2.0:-:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:b1:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:b2:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:b3:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:b4:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:b5:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:b6:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:b7:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:b8:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:i1:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p1:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p10:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p11:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p12:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p13:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p14:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p15:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p16:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p17:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p18:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p19:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p2:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p20:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p21:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p22:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p23:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p24:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p25:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p26:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p27:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p28:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p29:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p3:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p30:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p31:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p32:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p33:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p34:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p35:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p36:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p37:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p38:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p39:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p4:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p40:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p41:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p42:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p43:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p44:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p45:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p46:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p47:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p5:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p6:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p7:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p8:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.2.0:p9:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:-:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:b1:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:b2:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:b3:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:b4:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:b5:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:b6:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p1:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p10:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p11:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p12:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p13:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p14:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p15:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p16:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p17:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p18:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p19:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p2:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p20:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p21:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p22:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p23:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p24:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p25:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p26:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p27:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p28:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p29:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p3:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p30:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p31:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p32:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p33:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p34:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p35:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p36:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p37:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p38:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p39:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p4:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p40:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p41:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p42:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p43:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p44:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p45:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p5:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p6:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p7:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p8:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.3.0:p9:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:-:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:b1:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:b2:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:b3:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:b4:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:b5:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:b6:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p1:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p10:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p11:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p12:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p13:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p14:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p15:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p16:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p17:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p18:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p19:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p2:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p20:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p21:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p22:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p23:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p24:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p3:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p4:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p5:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p6:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p7:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p8:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.4.0:p9:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.5.0:b1:*:*:*:*:*:*
- cpe:2.3:a:checkmk:checkmk:2.5.0:b2:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

checkmk.com/werk/19033nvdVendor Advisory
www.vulncheck.com/advisories/checkmk-stored-cross-site-scripting-in-dashlet-titlenvdRelease NotesThird Party Advisory
checkmk.com/werk/19583nvd

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000