PatchSiren cyber security CVE debrief
CVE-2026-7186 Checkmk GmbH CVE debrief
CVE-2026-7186 is a HIGH severity vulnerability in Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions. It allows users with dashboard editing permissions to store a URL with a dangerous URI scheme, such as javascript:, that executes scripts in other users' browsers when they view the dashboard.
- Vendor
- Checkmk GmbH
- Product
- Checkmk
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-08
Who should care
Users of Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions who have dashboard editing permissions.
Technical summary
The vulnerability is a stored cross-site scripting (XSS) issue in the URL dashboard widget of Checkmk. An attacker with dashboard editing permissions can store a URL with a malicious URI scheme, such as javascript:, which will execute scripts in the browsers of other users who view the dashboard.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Checkmk version 2.5.0p5 or later, 2.4.0p31 or later, or 2.3.0p48 or later.
- Restrict dashboard editing permissions to trusted users.
- Monitor dashboard usage for suspicious activity.
Evidence notes
CVE-2026-7186 was published on 2026-06-08T13:16:33.480Z and modified on 2026-06-08T15:53:35.183Z. The CVSS score is 8.5 (HIGH).
Official resources
-
CVE-2026-7186 CVE record
CVE.org
-
CVE-2026-7186 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
public