Checkmate
Source repositories
CVEs (5)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-47817 | Hig | 0.50 | 8.8 | 0.00 | May 10, 2025 | In BlueWave Checkmate through 2.0.2 before b387eba, a profile edit request can include a role parameter. | |
| CVE-2025-47245 | Hig | 0.46 | 8.1 | 0.00 | May 4, 2025 | In BlueWave Checkmate through 2.0.2 before d4a6072, an invite request can be modified to specify a privileged role. | |
| CVE-2025-48024 | Med | 0.26 | 5.0 | 0.00 | May 15, 2025 | In BlueWave Checkmate before 2.1, an authenticated regular user can access sensitive application secrets via the /api/v1/settings endpoint. | |
| CVE-2026-31836 | 0.00 | — | 0.00 | Mar 20, 2026 | Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. In versions from 3.5.1 and prior, a mass assignment vulnerability in Checkmate's user profile update endpoint allows any authenticated user to escalate their privileges to superadmin, bypassing all role-based access controls. An attacker can modify their user role to gain complete administrative access to the application, including the ability to view all users, modify critical configurations, and access sensitive system data. At time of publication, there are no publicly available patches. | ||
| CVE-2026-30829 | 0.00 | — | 0.00 | Mar 7, 2026 | Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. Prior to version 3.4.0, an unauthenticated information disclosure vulnerability exists in the GET /api/v1/status-page/:url endpoint. The endpoint does not enforce authentication or verify whether a status page is published before returning full status page details. As a result, unpublished status pages and their associated internal data are accessible to any unauthenticated user via direct API requests. This issue has been patched in version 3.4.0. |
- risk 0.50cvss 8.8epss 0.00
In BlueWave Checkmate through 2.0.2 before b387eba, a profile edit request can include a role parameter.
- risk 0.46cvss 8.1epss 0.00
In BlueWave Checkmate through 2.0.2 before d4a6072, an invite request can be modified to specify a privileged role.
- risk 0.26cvss 5.0epss 0.00
In BlueWave Checkmate before 2.1, an authenticated regular user can access sensitive application secrets via the /api/v1/settings endpoint.
- CVE-2026-31836Mar 20, 2026risk 0.00cvss —epss 0.00
Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. In versions from 3.5.1 and prior, a mass assignment vulnerability in Checkmate's user profile update endpoint allows any authenticated user to escalate their privileges to superadmin, bypassing all role-based access controls. An attacker can modify their user role to gain complete administrative access to the application, including the ability to view all users, modify critical configurations, and access sensitive system data. At time of publication, there are no publicly available patches.
- CVE-2026-30829Mar 7, 2026risk 0.00cvss —epss 0.00
Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. Prior to version 3.4.0, an unauthenticated information disclosure vulnerability exists in the GET /api/v1/status-page/:url endpoint. The endpoint does not enforce authentication or verify whether a status page is published before returning full status page details. As a result, unpublished status pages and their associated internal data are accessible to any unauthenticated user via direct API requests. This issue has been patched in version 3.4.0.