Zero Day MonitorZDM

← Back to list

5.4

CVE-2025-64999

checkmk · checkmk

Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into t

Description

Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link.

Affected Products

Vendor	Product	Versions
checkmk	checkmk	—

References

CVSS 3.15.4 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

CWECWE-79

PublishedFeb 26, 2026

Last enriched8d ago

Trending Score0

Source articles0

Independent0

Info Completeness7/14

Missing: versions, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-33457EXP

Potential livestatus injection in prediction graph page

NONECVE-2026-33456EXP

Potential livestatus injection in notification test

NONECVE-2026-33455EXP

Livestatus injection in monitoring quicksearch

NONECVE-2026-3466

Cross-site scripting in dashlet title

NONECVE-2025-39666

omd: Local privilege escalation when executing omd commands as root

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Feb 26, 2026

Discovered by ZDM

Apr 1, 2026