PatchSiren cyber security CVE debrief
CVE-2026-8833 Checkmk GmbH CVE debrief
CVE-2026-8833 is a HIGH severity vulnerability in Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions. It allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another user interacts with the crafted link.
- Vendor
- Checkmk GmbH
- Product
- Checkmk
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-09
Who should care
Users of Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions should apply patches or mitigations.
Technical summary
The vulnerability is caused by improper neutralization of HTML-encoded characters in the URL validation function. This allows an authenticated user to inject malicious URLs, potentially leading to cross-site scripting (XSS) attacks.
Defensive priority
HIGH
Recommended defensive actions
- Apply patches or updates to Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions.
- Implement additional security measures to monitor and restrict user input.
Evidence notes
CVE-2026-8833 has a CVSS score of 8.5 and is considered HIGH severity. The vulnerability was published on 2026-06-08T13:16:33.900Z and modified on 2026-06-09T14:49:31.967Z.
Official resources
-
CVE-2026-8833 CVE record
CVE.org
-
CVE-2026-8833 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-8833 was published on 2026-06-08T13:16:33.900Z and modified on 2026-06-09T14:49:31.967Z.