Platform
php
Component
checkmk
Fixed in
2.5.4
2.3.0p46
2.4.0p25
2.5.0
CVE-2026-3466 describes a stored Cross-Site Scripting (XSS) vulnerability affecting Checkmk versions 2.2.0 through 2.5.0. This vulnerability allows an attacker with dashboard creation privileges to inject malicious scripts into dashlet titles, potentially impacting users who view shared dashboards. The vulnerability was published on April 7, 2026, and a fix is available in Checkmk 2.5.0.
An attacker can exploit this vulnerability by crafting a malicious dashlet title link and tricking a user with dashboard viewing privileges into clicking it. Upon clicking, the attacker's injected script will execute in the victim's browser context, allowing for potential session hijacking, data theft, or defacement of the Checkmk interface. The impact is amplified in environments where dashboards are widely shared among users, as a single compromised dashlet can affect a large number of individuals. This vulnerability highlights the importance of proper input sanitization and access controls within web applications.
CVE-2026-3466 is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not yet available, suggesting a low to medium probability of active exploitation. The vulnerability was disclosed publicly on April 7, 2026, aligning with the publication date from the NVD.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
The primary mitigation for CVE-2026-3466 is to upgrade to Checkmk version 2.5.0, which includes the necessary fix. If upgrading immediately is not feasible, consider restricting dashboard creation privileges to trusted users only. Implement a Web Application Firewall (WAF) with rules to detect and block XSS attempts targeting dashlet titles. Regularly review and audit dashboard configurations to identify and remove any potentially malicious dashlets. After upgrading, confirm the fix by attempting to create a dashlet with a specially crafted title containing a simple JavaScript payload (e.g., <script>alert('XSS')</script>). The payload should not execute.
Update Checkmk to version 2.5.4 or later to mitigate the XSS vulnerability in dashlet titles. Ensure you apply the corresponding security patches for versions 2.3.0p46, 2.4.0p25, and 2.5.0. The update corrects the inadequate sanitization of links in dashlet titles, thus preventing the execution of malicious scripts.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3466 is a stored Cross-Site Scripting (XSS) vulnerability in Checkmk versions 2.2.0–2.5.0, allowing attackers to inject malicious scripts via dashlet titles.
You are affected if you are running Checkmk versions 2.2.0, 2.3.0 before 2.3.0p46, 2.4.0 before 2.4.0p25, or 2.5.0 (beta) before 2.5.0.
Upgrade to Checkmk version 2.5.0 to resolve the vulnerability. Restrict dashboard creation privileges as a temporary workaround.
There is currently no confirmed active exploitation of CVE-2026-3466, but the lack of a public POC does not guarantee it won't be exploited.
Refer to the official Checkmk security advisory for detailed information and updates regarding CVE-2026-3466.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.