Impact Analysis

This vulnerability can lead to stored cross-site scripting attacks, which may allow attackers to execute malicious scripts in the context of the victim's browser session. This can result in unauthorized actions, data theft, or session hijacking.

Since exploitation requires the victim to click on a malicious dashlet title link on a shared dashboard, users who interact with dashboards created by others are at risk. The vulnerability has a high severity rating with a CVSS 4.0 score of 8.5.

Mitigation includes avoiding clicking on dashboard title links from untrusted or unknown dashboards.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves stored cross-site scripting (XSS) in the title links of dashboard dashlets within Checkmk. Detection involves identifying dashboards with potentially malicious or crafted dashlet title links that could execute JavaScript when clicked.

Since exploitation requires an attacker with dashboard creation privileges to create and share a dashboard containing malicious dashlet title links, detection can focus on reviewing dashboards created or shared recently, especially those made public or shared with many users.

There are no specific commands provided in the available resources to detect this vulnerability directly on the network or system.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-3466 is a stored cross-site scripting (XSS) vulnerability found in the title links of dashboard dashlets within Checkmk software. The problem occurs because these title links are not properly sanitized, allowing an attacker with dashboard creation privileges to embed malicious JavaScript code.

To exploit this vulnerability, the attacker must create and share a dashboard containing a crafted dashlet title link. When a victim clicks on this malicious link on the shared dashboard, the embedded script executes, potentially compromising the victim's session or data.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding clicking on dashboard dashlet title links from untrusted or unknown dashboards, as the vulnerability requires user interaction with such links.

Ensure that your Checkmk installation is updated to a fixed version where the issue has been resolved by proper sanitization of dashlet title links. The fix does not require manual user intervention beyond updating.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to perform stored cross-site scripting (XSS) attacks by embedding malicious JavaScript in dashboard dashlet title links. This can lead to unauthorized actions or data exposure when a victim clicks a crafted link.

Such security weaknesses can impact compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and attacks. Exploitation of this vulnerability could potentially lead to data breaches or unauthorized data manipulation, thereby violating these regulations.

Mitigation involves proper sanitization of inputs and cautious user behavior, but the presence of this vulnerability in affected versions means organizations using them may face increased risk of non-compliance until patched.

Useful 0 Not Useful 0