Floragasse 7 – 5th floor, 1040 Vienna
Subscribe to our Newsletter

News

SBA Security Advisory – Checkmk Cross Site Scripting (CVE-2025-39663)

Vulnerability Overview

Checkmk in versions before 2.4.0p14 and 2.3.0p39, as well as in branches 2.2.0, 2.1.0 and 2.0.0 is prone to a Stored Cross-Site Scripting (XSS) vulnerability when used in a distributed monitoring setup. Any connected remote site can inject JavaScript code in the central site’s user interface.

  • Type of Vulnerability: Cross Site Scripting
  • Fixed in Version: 2.4.0p14, 2.3.0p39
  • CVE ID: CVE-2025-39663
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • CVSS Base Score: 9.1 (Critical)

Recommended Countermeasure

We recommend updating to Checkmk version 2.4.0p14, 2.3.0p39 or later and disable the option Trust this site completely for all remote sites.

Links

Full Security Advisory

Credits

Lisa Gnedt (SBA Research)