Multiple Vulnerabilities Disclosed in Checkmk, Including Cross-Site Scripting Flaws
German authorities published two security advisories for Checkmk covering multiple vulnerabilities, including flaws that could enable cross-site scripting (XSS). One advisory specifically identifies several XSS issues in the IT infrastructure and monitoring platform, while a later advisory broadens the scope to additional unspecified vulnerabilities affecting Checkmk.
The disclosures indicate that organizations using Checkmk should review vendor guidance and available patches promptly, as the vulnerabilities may expose monitoring environments to client-side code execution and other security risks. The advisories were issued by dCERT under identifiers 2026-0909 and 2026-0965, signaling an ongoing vulnerability response affecting the product.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
dCERT publishes advisory 2026-1029 on Checkmk multiple vulnerabilities
dCERT published advisory 2026-1029 covering multiple vulnerabilities in Checkmk. This appears to be a new follow-on disclosure in the sequence of Checkmk advisories.
dCERT publishes advisory 2026-0965 on multiple Checkmk vulnerabilities
dCERT later published advisory 2026-0965 concerning multiple vulnerabilities in Checkmk. The reference indicates a follow-on disclosure or update involving additional Checkmk security issues.
dCERT publishes advisory 2026-0909 on Checkmk XSS vulnerabilities
dCERT published advisory 2026-0909 for Checkmk, describing multiple vulnerabilities that allow cross-site scripting. This is the earliest disclosed event in the provided references.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
dCERT - Advisory 2026-1029 - Checkmk: Multiple Vulnerabilities
dcert.de
Open sourcedCERT - Advisory 2026-0965 - Checkmk: Multiple Vulnerabilities
dcert.de
Open sourcedCERT - Advisory 2026-0909 - Checkmk: Multiple Vulnerabilities allow Cross-Site Scripting
dcert.de
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Stored XSS Flaws in Checkmk 2.5.0 Beta Enable Cross-User Script Execution
Checkmk disclosed two stored cross-site scripting vulnerabilities affecting **Checkmk 2.5.0 beta releases before `2.5.0b2`**. The issues, tracked as **`CVE-2026-33276`** and **`CVE-2026-20915`**, allow authenticated users to inject malicious JavaScript that later executes in other users’ browsers. Both flaws are classified as **`CWE-79`** and are remotely exploitable with low attack complexity, though successful exploitation requires user interaction. The first bug, **`CVE-2026-33276`**, affects the **Unified Search** feature and stems from unescaped host or service names, enabling users with permission to create hosts or services to plant persistent script payloads. The second, **`CVE-2026-20915`**, affects the **Pending Changes** sidebar and allows users with permission to create pending changes to inject stored JavaScript viewed by other users. Checkmk published vendor advisories for the flaws as **Werk `19525`** and **Werk `19526`**, and both issues were reported to `security@checkmk.com`.
Mar 31, 2026
Multiple MediaWiki and Extension Vulnerabilities Expose Sites to XSS Risks
dCERT issued an advisory for **multiple vulnerabilities in MediaWiki**, followed by a second advisory covering **multiple vulnerabilities in MediaWiki extensions that allow cross-site scripting (XSS)**. The notices indicate that organizations running MediaWiki-based platforms may be exposed through flaws in both the core software and its extension ecosystem. The combined advisories point to a broader security issue for MediaWiki deployments, where weaknesses in core components and add-on extensions can increase the risk of malicious script injection and related compromise of user sessions or administrative actions. Organizations using MediaWiki should review affected versions, assess installed extensions, and apply vendor fixes or mitigations as they become available.
Apr 10, 2026
Multiple Unrelated Critical Vulnerabilities Disclosed in October 2025
A series of critical and high-severity vulnerabilities affecting a diverse set of software products were publicly disclosed in October 2025. Epsilon RH by Grupo Castilla was found to have a SQL injection vulnerability (CVE-2025-41028) that allows attackers to manipulate the database by sending crafted POST requests to the 'sEstadoUsr' parameter in the '/epsilonnetws/WSAvisos.asmx' endpoint. Lanscope Endpoint Manager (CVE-2025-61932) was reported to have an improper origin verification flaw, enabling attackers to execute arbitrary code via specially crafted packets, though remote exploitation is not possible. Galaxy Software Services Vitals ESP Forum Module (CVE-2025-31342) was discovered to allow remote authenticated users to upload dangerous files, leading to arbitrary command execution. Fsas Technologies Inc.'s ETERNUS SF (CVE-2025-62577) contains incorrect default permissions, allowing low-privileged users to obtain database credentials and potentially escalate privileges to execute OS commands as an administrator. Excellent Infotek's Document Management System (CVE-2025-11948) is vulnerable to unauthenticated arbitrary file upload, enabling attackers to deploy web shells and execute code on the server. Vvveb CMS up to version 1.0.5 is susceptible to authenticated code injection via its Code Editor, allowing attackers to modify files and achieve remote code execution. The Theme Editor plugin for WordPress (CVE-2025-9890) is vulnerable to cross-site request forgery, which can be exploited to achieve remote code execution if an administrator is tricked into clicking a malicious link. The PPOM plugin for WooCommerce (CVE-2025-11391) allows unauthenticated arbitrary file uploads, posing a severe risk to affected e-commerce sites. The Appointments plugin for WordPress (CVE-2017-20206) and the Flickr Gallery plugin (CVE-2017-20207) both suffer from unauthenticated PHP object injection vulnerabilities, which have been actively exploited to create backdoors using the WP_Theme() class. RegistrationMagic (CVE-2017-20208) is also affected by a PHP object injection flaw, allowing attackers to fetch and install remote files. Finally, BLU-IC2 and BLU-IC4 devices (CVE-2025-11925) have an API that returns an incorrect Content-Type header, potentially enabling HTML/JavaScript injection in responses. Each of these vulnerabilities presents a significant risk, with several allowing remote code execution, privilege escalation, or the installation of persistent backdoors. The affected products span web applications, content management systems, endpoint management tools, and specialized enterprise software. Security teams are advised to review the specific advisories, apply patches or mitigations where available, and monitor for signs of exploitation, as several vulnerabilities have been reported as actively exploited in the wild. The diversity and severity of these disclosures underscore the ongoing need for rigorous vulnerability management and timely response to public advisories.
Mar 21, 2026