CVE-2026-8833
Undergoing Analysis Undergoing Analysis - In Progress
Improper URL Validation Leading to XSS in Checkmk

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: Checkmk GmbH

Description
Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another user interacts with the crafted link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-8833
EUVD
EUVD-2026-35053
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
checkmk checkmk to 2.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8833 is a Cross-Site Scripting (XSS) vulnerability in the URL validation function of Checkmk versions prior to 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions.

The vulnerability arises because the URL validation function does not properly neutralize HTML-encoded characters, allowing an authenticated user to bypass URL validation.

This enables the injection of malicious URLs, such as those starting with "javascript:", which can lead to cross-site scripting attacks when another user interacts with the crafted link.

Impact Analysis

This vulnerability can allow an authenticated attacker to inject malicious scripts via crafted URLs that bypass validation.

When other users interact with these malicious links, the injected scripts can execute in their browsers, potentially leading to theft of session tokens, unauthorized actions, or other malicious activities.

Because the vulnerability has a high CVSS score of 8.5, it represents a significant security risk.

Detection Guidance

This vulnerability involves the improper neutralization of HTML-encoded characters in URL validation, allowing injection of malicious URLs such as javascript: URIs. Detection would involve monitoring for suspicious URL patterns that include encoded characters or javascript: schemes within Checkmk URLs.

Since the vulnerability requires an authenticated user to inject malicious URLs, detection can include reviewing logs for unusual URL parameters or payloads containing 'javascript:' or encoded variants.

Specific commands are not provided in the available resources, but general approaches could include using web application firewall (WAF) rules to detect and block URLs containing 'javascript:' schemes or scanning logs for such patterns.

Mitigation Strategies

The primary mitigation step is to upgrade Checkmk to a fixed version beyond 2.5.0p5, 2.4.0p31, or 2.3.0p48, as these versions contain the patch that properly neutralizes HTML-encoded characters in URL validation.

No manual interaction is required for the fix, and it is compatible with existing versions, so applying the official update from Checkmk is the recommended immediate action.

Additionally, restricting authenticated user permissions and monitoring for suspicious URL usage can help mitigate exploitation until the update is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8833. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart