VYPR
← All advisories
Medium severity4.8NVD Advisory· Published Jun 8, 2026· Updated Jun 8, 2026

CVE-2026-9549

CVE-2026-9549

Description

Stored XSS in Checkmk service discovery allows admin-configured checks to inject scripts executed in user browsers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Checkmk service discovery allows admin-configured checks to inject scripts executed in user browsers.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the service discovery active check output within Checkmk versions prior to 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions. This issue arises because the check output is inserted into the page without proper HTML escaping when a check is run on the service discovery page [1].

Exploitation

An attacker with administrative privileges, who can configure active or custom checks, can inject malicious HTML or JavaScript into the check output. This malicious content will execute in the browser of an administrator or a user with host read permissions when they view or run the affected check on the service discovery page [1].

Impact

Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the context of the victim's browser. This can lead to session hijacking, credential theft, or further manipulation of the application, impacting the confidentiality and integrity of user data and actions within the affected scope [1].

Mitigation

Checkmk has released patches for this vulnerability. Affected versions include 2.5.0, 2.4.0, 2.3.0, and 2.2.0 (EOL). Users should update to Checkmk version 2.5.0p5, 2.4.0p31, or 2.3.0p48, or a later version. Version 2.2.0 is End-of-Life and should be upgraded [1].

References
  1. Werk #17993: Fix XSS in service discovery active check output

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1
  • Checkmk/Checkmkllm-fuzzy
    Range: <2.5.0p5, <2.4.0p31, <2.3.0p48, all 2.2.0

Patches

3
a35953b1c7f8

Fix stale success state in GenerateToken after token reset

https://github.com/Checkmk/checkmkRonny BruskaApr 24, 2026Fixed in 2.5.0via release-tag
commit
1 file changed · +9 1
  • packages/cmk-frontend-vue/src/mode-host/agent-connection-test/components/GenerateToken.vue+9 1 modified
    @@ -4,7 +4,7 @@ This file is part of Checkmk (https://checkmk.com). It is subject to the terms a
 conditions defined in the file COPYING, which is part of this source code package.
 -->
 <script setup lang="ts">
-import { computed, ref } from 'vue'
+import { computed, ref, watch } from 'vue'
 
 import { Api } from '@/lib/api-client'
 import usei18n from '@/lib/i18n'
@@ -50,6 +50,14 @@ const ottGenerated = ref(false)
 const ottError = ref<Error | null>(null)
 const ottExpiry = ref<Date | null>(null)
 const noOTT = ref(false)
+
+watch(ott, (newValue) => {
+  if (newValue === null) {
+    ottGenerated.value = false
+    ottError.value = null
+    ottExpiry.value = null
+  }
+})
 const api = new Api('api/internal/', [['Content-Type', 'application/json']])
 const tokenGenerationBody = ref<IAgentTokenGenerationRequestBody>(props.tokenGenerationBody)
4abde4a41de6

Improvements for HTML Email template

https://github.com/Checkmk/checkmkRonny BruskaMar 27, 2025Fixed in 2.4.0via release-tag
commit
2 files changed · +12 6
  • notifications/templates/mail/base.html+8 2 modified
    @@ -3,6 +3,12 @@
     <head>
         <title>HTML Email template</title>
         <meta name="viewport" content="width=device-width, initial-scale=1.0">
+        <style>
+        @media screen and (max-width: 460px) and (orientation: portrait) {
+           .iphone_padding { padding:0 !important;}
+           .iphone_event_marker_bulk { width:auto !important;}
+        }
+        </style>
     </head>
     <body>
         {% import 'macros.html' as macros %}
@@ -31,7 +37,7 @@
         } %}
         <table width="100%" style=" border-collapse: collapse; ">
             <tr>
-                <td align="center" style="padding: 20px;">
+                <td align="center" style="padding: 20px;", class="iphone_padding">
                     <table width="100%"
                            align="center"
                            style="max-width: 600px;
@@ -41,7 +47,7 @@
                                   background-color: #ffffff">
                         {{ macros.margin_tr() }}
                         <tr>
-                            <td align="center" style="padding: 8px;">
+                            <td align="center" style="padding: 8px;" class="iphone_padding">
                                 {% if not is_bulk or bulk_summary %}
                                     <table align="center" style=" border-collapse: collapse; width: 100%; min-width: 220px;
                                         max-width: 536px"">
  • notifications/templates/mail/bulk.html+4 4 modified
    @@ -21,12 +21,12 @@
     </tr>
     {% for entry in bulk_summary %}
         {% set bulk_service_notification = entry.WHAT == 'SERVICE' %}
-        <tr style=" border: 1px solid #DFDFDF; height: 35px">
+        <tr style="border: 1px solid #DFDFDF; height: 35px">
             <td style="border: 1px solid #DFDFDF;
                        padding: 0% 2% 0 2%;
                        width: 15%;
                        word-break: break-all">{{ entry.LINKEDHOSTNAME | safe }}</td>
-            <td style=" border: 1px solid #DFDFDF; padding: 0% 2% 0 2%; ">
+            <td style="border: 1px solid #DFDFDF; padding: 0% 2% 0 2%">
                 {% if bulk_service_notification %}{{ entry.LINKEDSERVICEDESC | safe }}{% endif %}
             </td>
             <td height="33"
@@ -37,7 +37,7 @@
                 <table style="border-collapse: collapse;" align="center">
                     <tr>
                         <td style="padding: 0; vertical-align: middle;">
-                            <div style="{{ macros.event_marker_bulk_style() }};
+                            <div class="iphone_event_marker_bulk" style="{{ macros.event_marker_bulk_style() }};
                                         {% if service_notification %} {{ state_mapping[data.PREVIOUSSERVICEHARDSTATE] }} {% else %} {{ state_mapping[data.PREVIOUSHOSTHARDSTATE] }} {% endif %};
                                         display: inline-block;
                                         /* Inline block to respect width */">
@@ -65,7 +65,7 @@
                             <![endif]-->
                         </td>
                         <td style="padding: 0; vertical-align: middle;">
-                            <div style="{{ macros.event_marker_bulk_style() }};
+                            <div class="iphone_event_marker_bulk" style="{{ macros.event_marker_bulk_style() }};
                                         {% if service_notification %} {{ state_mapping[data.SERVICESTATE] }} {% else %} {{ state_mapping[data.HOSTSTATE] }} {% endif %};
                                         display: inline-block;
                                         /* Inline block to respect width */">
779a2941a075

Bumped redfish mkp to 2.3.38

https://github.com/Checkmk/checkmkMartin HirschvogelApr 27, 2024Fixed in 2.3.0via release-tag
commit
1 file changed · +3 3
  • package_versions.bzl+3 3 modified
    @@ -72,9 +72,9 @@ NET_SNMP_SHA256 = "75b59d67e871aaaa31c8cef89ba7d06972782b97736b7e8c3399f36b50a88
 ROBOTMK_VERSION = "v2.0.0"
 ROBOTMK_SHA256 = "656126f7510854a294b28d789b0c138dfbd2a58e5d9f3ec4a5d8c9c88729cb42"
 
-REDFISH_MKP_VERSION = "2.3.37"
-REDFISH_MKP_COMMIT_HASH = "f0aaa5bc7296dfd5438dbde4d144cadabd693560"
-REDFISH_MKP_SHA256 = "c9a738c2c9647841c618bc463e560984e586e241b1cf01b8d10e3f3cb1267c41"
+REDFISH_MKP_VERSION = "2.3.38"
+REDFISH_MKP_COMMIT_HASH = "35b0ef91252bbba9b147ec12dc120bcc70bb3cf6"
+REDFISH_MKP_SHA256 = "c388a2b5525a55a6e0b175c014a3cb375062b4643d2ceed7ee188c054b2f0c8c"
 
 RRDTOOL_VERSION = "1.7.2"
 RRDTOOL_SHA256 = "a199faeb7eff7cafc46fac253e682d833d08932f3db93a550a4a5af180ca58db"

Vulnerability mechanics

Root cause

"Stored cross-site scripting in the service discovery active check output."

Attack vector

An administrator who can configure active or custom checks can inject malicious HTML or JavaScript into the check output. This payload executes in the browser of an administrator or a user with host read permissions when they view the check on the service discovery page. The vulnerability is present in Checkmk versions prior to 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions.

Affected code

The vulnerability resides within the service discovery active check output functionality. Specifically, the code responsible for rendering and displaying the results of active checks on the service discovery page is susceptible to injection. The provided patches do not directly pinpoint the exact file or function responsible for the XSS, but patch_id=5214550 modifies HTML templates related to notifications, indicating potential areas where output sanitization might be addressed.

What the fix does

The patch addresses a stored cross-site scripting vulnerability by sanitizing user-supplied input within the service discovery active check output. While the provided patches do not directly show the sanitization logic for the cross-site scripting issue, patch_id=5214550 modifies HTML templates for email notifications, suggesting a broader effort to improve HTML handling and prevent script execution. The core fix for the XSS in service discovery checks is not explicitly detailed in the provided patch diffs.

Preconditions

  • authThe attacker must have administrator privileges to configure active or custom checks.
  • configThe attacker must be able to configure active or custom checks.

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.