CVE-2026-33276
Received Received - Intake
Stored XSS in Checkmk Unified Search Allows Arbitrary Script Execution

Publication date: 2026-03-31

Last updated on: 2026-04-02

Assigner: Checkmk GmbH

Description
Stored cross-site scripting (XSS) in Checkmk 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other users performing searches in the Unified Search feature.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33276
EUVD
EUVD-2026-17429
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
checkmk checkmk 2.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33276 is a stored cross-site scripting (XSS) vulnerability found in the Unified Search feature of Checkmk versions 2.5.0 and 2.6.0b1. It occurs because host and service names are not properly sanitized before being displayed in search results.

An authenticated user with permission to create hosts or services can exploit this vulnerability by creating a host or service with a maliciously crafted name containing JavaScript code. This code then executes in the browsers of other users who perform searches and view the infected entries.

Impact Analysis

This vulnerability can allow an attacker with limited permissions to execute arbitrary JavaScript code in the browsers of other users. This can lead to session hijacking, unauthorized actions performed on behalf of other users, data theft, or other malicious activities within the affected application.

Because the vulnerability affects the Unified Search feature, any user performing searches could be exposed to the malicious script, increasing the risk of widespread impact within an organization using Checkmk.

Detection Guidance

This vulnerability can be detected by checking if your Checkmk installation is running a vulnerable version (2.5.0 beta or before 2.5.0b2) and if there are any hosts or services with names containing suspicious or malicious JavaScript code.

Since the issue involves stored cross-site scripting in host or service names, you can search the database or configuration files for entries containing script tags or JavaScript code.

Example commands to detect suspicious entries might include:

  • Using grep to find suspicious script tags in configuration or data files: grep -r -i '<script' /path/to/checkmk/config_or_data
  • Querying the Checkmk database or API for host or service names containing suspicious patterns such as '<script>' or 'javascript:'.

Additionally, monitoring user activity for creation of hosts or services with unusual names and reviewing logs for search queries that trigger script execution can help detect exploitation attempts.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Checkmk to a fixed version where the issue has been addressed, specifically versions after 2.5.0b2.

The fix properly escapes host and service names in the Unified Search results, preventing execution of malicious JavaScript code.

Until the upgrade can be applied, restrict permissions to create hosts or services only to trusted users to reduce the risk of exploitation.

Also, review and sanitize existing host and service names to remove any malicious scripts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33276. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart