VYPR

Checkmk

by Checkmk

Source repositories

CVEs (117)

  • CVE-2026-8078MedJun 8, 2026
    risk 0.24cvss 4.8epss 0.00

    Stored cross-site scripting in the global settings change log in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can change global settings to store malicious HTML or JavaScript in changelog messages that executes in other users'…

  • CVE-2021-40904Mar 25, 2022
    risk 0.02cvss epss 0.04

    The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result, remote code execution is achieved. Successful exploitation requires access to the…

  • CVE-2021-36563Jul 26, 2021
    risk 0.01cvss epss 0.02

    The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the WATO module. This allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side…

  • CVE-2026-2859Mar 13, 2026
    risk 0.00cvss epss 0.00

    Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows unauthenticated users to enumerate existing hosts by observing different HTTP response codes in deploy_agent endpoint, which could lead to information…

  • CVE-2026-24097Mar 13, 2026
    risk 0.00cvss epss 0.00

    Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows authenticated users to enumerate existing hosts by observing different HTTP response codes in agent-receiver/register_existing endpoint, which could lead to…

  • CVE-2026-3103Mar 4, 2026
    risk 0.00cvss epss 0.00

    A logic error in the remove_password() function in Checkmk GmbH's Checkmk versions <2.4.0p23, <2.3.0p43, and 2.2.0 (EOL) allows a low-privileged user to cause data loss.

  • CVE-2025-64999Feb 26, 2026
    risk 0.00cvss epss 0.00

    Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted…

  • CVE-2025-65000Dec 18, 2025
    risk 0.00cvss epss 0.00

    SSH private keys of the "Remote alert handlers (Linux)" rule were exposed in the rule page's HTML source in Checkmk <= 2.4.0p18 and all versions of Checkmk 2.3.0. This potentially allowed unauthorized triggering of predefined alert handlers on hosts where the handler was…

  • CVE-2025-64997Dec 18, 2025
    risk 0.00cvss epss 0.00

    Insufficient permission validation in Checkmk versions prior to 2.4.0p17 and 2.3.0p42 allow low-privileged users to view agent information via the REST API, which could lead to information disclosure.

  • CVE-2025-58121Nov 18, 2025
    risk 0.00cvss epss 0.00

    Insufficient permission validation on multiple REST API endpoints in Checkmk 2.2.0, 2.3.0, and 2.4.0 before version 2.4.0p16 allows low-privileged users to perform unauthorized actions or obtain sensitive information

  • CVE-2025-58122Nov 18, 2025
    risk 0.00cvss epss 0.00

    Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged users to modify notification parameters via the REST API, which could lead to unauthorized actions or information disclosure.

  • CVE-2025-64996Nov 18, 2025
    risk 0.00cvss epss 0.00

    In Checkmk versions prior to 2.4.0p16, 2.3.0p41, and all versions of 2.2.0 and older, the mk_inotify plugin creates world-readable and writable files, allowing any local user on the system to read the plugin's output and manipulate it, potentially leading to unauthorized access…

  • CVE-2025-39663Oct 30, 2025
    risk 0.00cvss epss 0.01

    Cross-Site Scripting (XSS) vulnerability in Checkmk's distributed monitoring allows a compromised remote site to inject malicious HTML code into service outputs in the central site. Affecting Checkmk before 2.4.0p14, 2.3.0p39, 2.2.0 and 2.1.0 (eol).

  • CVE-2025-39664Oct 9, 2025
    risk 0.00cvss epss 0.01

    Insufficient escaping in the report scheduler within Checkmk <2.4.0p13, <2.3.0p38, <2.2.0p46 and 2.1.0 (EOL) allows authenticated attackers to define the storage location of report file pairs beyond their intended root directory.

  • CVE-2025-32919Oct 9, 2025
    risk 0.00cvss epss 0.00

    Use of an insecure temporary directory in the Windows License plugin for the Checkmk Windows Agent allows Privilege Escalation. This issue affects Checkmk: from 2.4.0 before 2.4.0p13, from 2.3.0 before 2.3.0p38, from 2.2.0 before 2.2.0p46, and all versions of 2.1.0 (EOL).

  • CVE-2025-32916Oct 9, 2025
    risk 0.00cvss epss 0.00

    Potential use of sensitive information in GET requests in Checkmk GmbH's Checkmk versions <2.4.0p13, <2.3.0p38, <2.2.0p46, and 2.1.0 (EOL) may cause sensitive form data to be included in URL query parameters, which may be logged in various places such as browser history or web…

  • CVE-2025-58127Aug 28, 2025
    risk 0.00cvss epss 0.00

    Improper Certificate Validation in Checkmk Exchange plugin Dell Powerscale allows attackers in MitM position to intercept traffic.

  • CVE-2025-58125Aug 28, 2025
    risk 0.00cvss epss 0.00

    Improper Certificate Validation in Checkmk Exchange plugin Freebox v6 agent allows attackers in MitM position to intercept traffic.

  • CVE-2025-58124Aug 28, 2025
    risk 0.00cvss epss 0.00

    Improper Certificate Validation in Checkmk Exchange plugin check-mk-api allows attackers in MitM position to intercept traffic.

  • CVE-2025-58123Aug 28, 2025
    risk 0.00cvss epss 0.00

    Improper Certificate Validation in Checkmk Exchange plugin BGP Monitoring allows attackers in MitM position to intercept traffic.

Page 2 of 6