Potential livestatus injection in prediction graph page

Description

Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26, and <2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name parameter due to insufficient sanitization of the service description value.

Affected Products

Vendor	Product	Versions
checkmk	checkmk	2.5.0, 2.4.0, 2.3.0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
checkmk	checkmk	cert_advisory	90%

References

https://checkmk.com/werk/17990(vendor-advisory)

Related News (2 articles)

Tier B

BSI Advisories2h ago

[NEU] [mittel] Checkmk: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB4h ago

CVE-2026-33457 | Checkmk up to 2.3.0p46/2.4.0p25/2.5.0b3 Livestatus Command service name delimiter

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2.5.0b42.4.0p262.3.0p47

CWECWE-140

PublishedApr 10, 2026

Last enriched4h agov2

Trending Score61

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Version History

Last enriched 4h ago

v2Tier C4h ago

Updated severity to CRITICAL, affected versions to include 2.3.0p46, 2.4.0p25, 2.5.0b3, and noted that no exploit is available.

severityaffectedVersionsactivelyExploited

via VulDB

v14h ago

Initial creation

Potential livestatus injection in prediction graph page

Description

Affected Products

Also Affects

References

Related News (2 articles)

Community Vote

Related CVEs (5)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History