CVE-2026-7186
Analyzed Analyzed - Analysis Complete
Stored XSS in Checkmk Dashboard Widget

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: Checkmk GmbH

Description
Stored cross-site scripting in the URL dashboard widget in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the dashboard.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-7186
EUVD
EUVD-2026-35061
Affected Vendors & Products
Showing 157 associated CPEs
Vendor Product Version / Range
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.3.0
checkmk checkmk 2.2.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.2.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.2.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.2.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.2.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.2.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.5.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.5.0
checkmk checkmk 2.3.0
checkmk checkmk 2.4.0
checkmk checkmk 2.5.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.3.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.5.0
checkmk checkmk 2.5.0
checkmk checkmk 2.5.0
checkmk checkmk 2.5.0
checkmk checkmk 2.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7186 is a stored Cross-Site Scripting (XSS) vulnerability found in the URL dashboard widget of Checkmk versions prior to 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions. It allows a user with dashboard editing permissions to store a URL containing a dangerous URI scheme such as javascript:. When other users view the dashboard, the malicious script embedded in the URL executes in their browsers.

The vulnerability arises because the widget previously accepted any URI scheme without restriction, enabling the injection of harmful scripts. The attack requires the victim to access the shared dashboard through options like Customize > Dashboards or the Monitor menu.

The issue has been fixed by restricting the widget to accept only http and https URLs, preventing the execution of malicious scripts.

Impact Analysis

This vulnerability can lead to the execution of malicious scripts in the browsers of users who view the compromised dashboard. Such scripts could steal sensitive information, hijack user sessions, or perform actions on behalf of the user without their consent.

Because the attack requires only that a user with dashboard editing permissions insert a malicious URL, and victims simply need to view the dashboard, it poses a significant risk of unauthorized code execution and potential data compromise.

The vulnerability has a high severity rating with a CVSS score of 8.5, indicating a serious impact if exploited.

Detection Guidance

This vulnerability involves stored Cross-Site Scripting (XSS) in the URL dashboard widget of Checkmk versions prior to the fixed releases. Detection involves identifying dashboard URLs that contain dangerous URI schemes such as "javascript:" instead of only "http" or "https".

You can detect potentially malicious URLs by reviewing the dashboard widget configurations or database entries where URLs are stored. Look for URLs starting with non-http/https schemes.

While no specific commands are provided in the resources, a general approach could be to query the Checkmk configuration or database for URL fields containing suspicious schemes. For example, if URLs are stored in a database, you might run a query like:

  • SELECT * FROM dashboard_widgets WHERE url LIKE 'javascript:%';

Alternatively, you can use command-line tools like grep to search configuration files or exported dashboard data for "javascript:" or other dangerous URI schemes.

Mitigation Strategies

The immediate mitigation step is to upgrade Checkmk to a fixed version where the vulnerability is patched. The fixed versions are 2.5.0p5, 2.4.0p31, and 2.3.0p48 or later.

These versions restrict the URL dashboard widget to accept only http and https URLs, preventing storage of dangerous URI schemes like javascript:.

Additionally, review and clean existing dashboard URLs to remove or replace any URLs with dangerous schemes that could trigger the XSS.

Limit dashboard editing permissions to trusted users only, as the vulnerability requires dashboard editing rights to exploit.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7186. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart