CVE-2026-33276
Stored XSS in Checkmk Unified Search Allows Arbitrary Script Execution
Publication date: 2026-03-31
Last updated on: 2026-04-02
Assigner: Checkmk GmbH
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| checkmk | checkmk | 2.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33276 is a stored cross-site scripting (XSS) vulnerability found in the Unified Search feature of Checkmk versions 2.5.0 and 2.6.0b1. It occurs because host and service names are not properly sanitized before being displayed in search results.
An authenticated user with permission to create hosts or services can exploit this vulnerability by creating a host or service with a maliciously crafted name containing JavaScript code. This code then executes in the browsers of other users who perform searches and view the infected entries.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with limited permissions to execute arbitrary JavaScript code in the browsers of other users. This can lead to session hijacking, unauthorized actions performed on behalf of other users, data theft, or other malicious activities within the affected application.
Because the vulnerability affects the Unified Search feature, any user performing searches could be exposed to the malicious script, increasing the risk of widespread impact within an organization using Checkmk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Checkmk installation is running a vulnerable version (2.5.0 beta or before 2.5.0b2) and if there are any hosts or services with names containing suspicious or malicious JavaScript code.
Since the issue involves stored cross-site scripting in host or service names, you can search the database or configuration files for entries containing script tags or JavaScript code.
Example commands to detect suspicious entries might include:
- Using grep to find suspicious script tags in configuration or data files: grep -r -i '<script' /path/to/checkmk/config_or_data
- Querying the Checkmk database or API for host or service names containing suspicious patterns such as '<script>' or 'javascript:'.
Additionally, monitoring user activity for creation of hosts or services with unusual names and reviewing logs for search queries that trigger script execution can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Checkmk to a fixed version where the issue has been addressed, specifically versions after 2.5.0b2.
The fix properly escapes host and service names in the Unified Search results, preventing execution of malicious JavaScript code.
Until the upgrade can be applied, restrict permissions to create hosts or services only to trusted users to reduce the risk of exploitation.
Also, review and sanitize existing host and service names to remove any malicious scripts.