Stored XSS Flaws in Checkmk 2.5.0 Beta Enable Cross-User Script Execution
Checkmk disclosed two stored cross-site scripting vulnerabilities affecting Checkmk 2.5.0 beta releases before 2.5.0b2. The issues, tracked as CVE-2026-33276 and CVE-2026-20915, allow authenticated users to inject malicious JavaScript that later executes in other users’ browsers. Both flaws are classified as CWE-79 and are remotely exploitable with low attack complexity, though successful exploitation requires user interaction.
The first bug, CVE-2026-33276, affects the Unified Search feature and stems from unescaped host or service names, enabling users with permission to create hosts or services to plant persistent script payloads. The second, CVE-2026-20915, affects the Pending Changes sidebar and allows users with permission to create pending changes to inject stored JavaScript viewed by other users. Checkmk published vendor advisories for the flaws as Werk 19525 and Werk 19526, and both issues were reported to security@checkmk.com.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CVE entries published for Checkmk stored XSS vulnerabilities
CVE-2026-33276 and CVE-2026-20915 were publicly recorded, classifying both issues as CWE-79 stored XSS vulnerabilities in Checkmk 2.5.0 beta before 2.5.0b2. The disclosures note authenticated attack paths and cross-user browser script execution risks.
Checkmk publishes vendor references for the two XSS issues
Checkmk published vendor advisories for the vulnerabilities as Werk 19525 and Werk 19526, documenting the stored XSS issues in Unified Search and the Pending Changes sidebar for affected 2.5.0 beta versions before 2.5.0b2.
Checkmk receives reports for two stored XSS flaws in 2.5.0 beta
On March 31, 2026, security@checkmk.com received reports for two stored cross-site scripting vulnerabilities affecting Checkmk 2.5.0 beta releases before 2.5.0b2. One flaw impacts Unified Search via unescaped host or service names (CVE-2026-33276), and the other affects the Pending Changes sidebar (CVE-2026-20915).
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Vulnerabilities Disclosed in Checkmk, Including Cross-Site Scripting Flaws
German authorities published two security advisories for **Checkmk** covering multiple vulnerabilities, including flaws that could enable **cross-site scripting (XSS)**. One advisory specifically identifies several XSS issues in the IT infrastructure and monitoring platform, while a later advisory broadens the scope to additional unspecified vulnerabilities affecting Checkmk. The disclosures indicate that organizations using Checkmk should review vendor guidance and available patches promptly, as the vulnerabilities may expose monitoring environments to client-side code execution and other security risks. The advisories were issued by **dCERT** under identifiers `2026-0909` and `2026-0965`, signaling an ongoing vulnerability response affecting the product.
Apr 10, 2026
Unauthenticated SQL Injection Flaws Expose Data in CMSsite and XATABoost CMS
Two content management systems were identified with **unauthenticated SQL injection** vulnerabilities that allow remote attackers to tamper with backend database queries and extract sensitive information. `CVE-2019-25697` affects **CMSsite 1.0**, where the `cat_id` parameter in `category.php` can be abused through crafted `GET` requests, potentially exposing usernames, credentials, and other database contents. A separate flaw, `CVE-2018-25300`, affects **XATABoost CMS 1.0.0** through a **union-based SQL injection** in the `id` parameter of `news.php`, also reachable remotely without authentication via crafted `GET` requests. Both records were published with **CWE-89** classification, CVSS v3.1 and v4.0 scoring data, and references to public advisories and exploit resources, underscoring the risk of database compromise in internet-exposed deployments.
Apr 29, 2026
New CVEs Detail ThinkPHP RCE and Ask Expert Script SQLi/XSS Flaws
New CVE records document two high-severity web application vulnerabilities affecting **ThinkPHP 5.0.23** and **Ask Expert Script 3.0.5**. `CVE-2018-25270` describes an unauthenticated remote code execution flaw in ThinkPHP in which attackers can invoke functions through the routing parameter and send crafted requests to `index.php` to execute arbitrary PHP code. The issue is rated high impact across confidentiality, integrity, and availability under CVSS v3.1 and is referenced by public advisories and an Exploit-DB proof of concept. A separate entry, `CVE-2019-25676`, affects Ask Expert Script 3.0.5 and combines unauthenticated **cross-site scripting** and **SQL injection** weaknesses exposed through URL parameters. According to the record, attackers can inject script tags via the `cateid` parameter in `categorysearch.php` and inject SQL through the `view` parameter in `list-details.php`, potentially enabling browser-side code execution and database data extraction. The CVE maps the flaws to `CWE-79` and includes vendor, advisory, and exploit references, underscoring continued risk from exposed legacy PHP applications.
Apr 22, 2026