Total
91 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-3103 | 1 Checkmk | 1 Checkmk | 2026-03-05 | N/A | 5.4 MEDIUM |
|
A logic error in the remove_password() function in Checkmk GmbH's Checkmk versions <2.4.0p23, <2.3.0p43, and 2.2.0 (EOL) allows a low-privileged user to cause data loss.
|
|||||
| CVE-2025-64999 | 1 Checkmk | 1 Checkmk | 2026-03-05 | N/A | 5.4 MEDIUM |
|
Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link.
|
|||||
| CVE-2025-65000 | 1 Checkmk | 1 Checkmk | 2025-12-23 | N/A | 5.3 MEDIUM |
|
SSH private keys of the "Remote alert handlers (Linux)" rule were exposed in the rule page's HTML source in Checkmk <= 2.4.0p18 and all versions of Checkmk 2.3.0. This potentially allowed unauthorized triggering of predefined alert handlers on hosts where the handler was deployed.
|
|||||
| CVE-2025-64997 | 1 Checkmk | 1 Checkmk | 2025-12-23 | N/A | 6.5 MEDIUM |
|
Insufficient permission validation in Checkmk versions prior to 2.4.0p17 and 2.3.0p42 allow low-privileged users to view agent information via the REST API, which could lead to information disclosure.
|
|||||
| CVE-2025-32916 | 1 Checkmk | 1 Checkmk | 2025-12-04 | N/A | 4.3 MEDIUM |
|
Potential use of sensitive information in GET requests in Checkmk GmbH's Checkmk versions <2.4.0p13, <2.3.0p38, <2.2.0p46, and 2.1.0 (EOL) may cause sensitive form data to be included in URL query parameters, which may be logged in various places such as browser history or web server logs.
|
|||||
| CVE-2025-32919 | 1 Checkmk | 1 Checkmk | 2025-12-04 | N/A | 7.8 HIGH |
|
Use of an insecure temporary directory in the Windows License plugin for the Checkmk Windows Agent allows Privilege Escalation. This issue affects Checkmk: from 2.4.0 before 2.4.0p13, from 2.3.0 before 2.3.0p38, from 2.2.0 before 2.2.0p46, and all versions of 2.1.0 (EOL).
|
|||||
| CVE-2025-39664 | 1 Checkmk | 1 Checkmk | 2025-12-04 | N/A | 6.5 MEDIUM |
|
Insufficient escaping in the report scheduler within Checkmk <2.4.0p13, <2.3.0p38, <2.2.0p46 and 2.1.0 (EOL) allows authenticated attackers to define the storage location of report file pairs beyond their intended root directory.
|
|||||
| CVE-2025-39663 | 1 Checkmk | 1 Checkmk | 2025-12-03 | N/A | 8.4 HIGH |
|
Cross-Site Scripting (XSS) vulnerability in Checkmk's distributed monitoring allows a compromised remote site to inject malicious HTML code into service outputs in the central site. Affecting Checkmk before 2.4.0p14, 2.3.0p39, 2.2.0 and 2.1.0 (eol).
|
|||||
| CVE-2025-58121 | 1 Checkmk | 1 Checkmk | 2025-11-24 | N/A | 5.4 MEDIUM |
|
Insufficient permission validation on multiple REST API endpoints in Checkmk 2.2.0, 2.3.0, and 2.4.0 before version 2.4.0p16 allows low-privileged users to perform unauthorized actions or obtain sensitive information
|
|||||
| CVE-2025-64996 | 1 Checkmk | 1 Checkmk | 2025-11-24 | N/A | 4.4 MEDIUM |
|
In Checkmk versions prior to 2.4.0p16, 2.3.0p41, and all versions of 2.2.0 and older, the mk_inotify plugin creates world-readable and writable files, allowing any local user on the system to read the plugin's output and manipulate it, potentially leading to unauthorized access to or modification of monitoring data.
|
|||||
| CVE-2025-58122 | 1 Checkmk | 1 Checkmk | 2025-11-24 | N/A | 5.4 MEDIUM |
|
Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged users to modify notification parameters via the REST API, which could lead to unauthorized actions or information disclosure.
|
|||||
| CVE-2024-6163 | 1 Checkmk | 1 Checkmk | 2025-08-27 | N/A | 5.3 MEDIUM |
|
Certain http endpoints of Checkmk in Checkmk < 2.3.0p10 < 2.2.0p31, < 2.1.0p46, <= 2.0.0p39 allows remote attacker to bypass authentication and access data
|
|||||
| CVE-2025-32915 | 3 Checkmk, Linux, Oracle | 3 Checkmk, Linux Kernel, Solaris | 2025-08-26 | N/A | 5.5 MEDIUM |
|
Packages downloaded by Checkmk's automatic agent updates on Linux and Solaris have incorrect permissions in Checkmk < 2.4.0p1, < 2.3.0p32, < 2.2.0p42 and <= 2.1.0p49 (EOL). This allows a local attacker to read sensitive data.
|
|||||
| CVE-2024-38864 | 2 Checkmk, Microsoft | 2 Checkmk, Windows | 2025-08-25 | N/A | 3.3 LOW |
|
Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p23, < 2.2.0p38 and <= 2.1.0p49 (EOL) allows a local attacker to read sensitive data.
|
|||||
| CVE-2024-6572 | 1 Checkmk | 1 Checkmk | 2025-08-25 | N/A | 7.4 HIGH |
|
Improper host key checking in active check 'Check SFTP Service' and special agent 'VNX quotas and filesystem' in Checkmk before Checkmk 2.3.0p15, 2.2.0p33, 2.1.0p48 and 2.0.0 (EOL) allows man-in-the-middle attackers to intercept traffic
|
|||||
| CVE-2025-3506 | 1 Checkmk | 1 Checkmk | 2025-08-25 | N/A | 5.3 MEDIUM |
|
Files to be deployed with agents are accessible without authentication in Checkmk 2.1.0, Checkmk 2.2.0, Checkmk 2.3.0 and <Checkmk 2.4.0b6 allows attacker to access files that could contain secrets.
|
|||||
| CVE-2025-2092 | 1 Checkmk | 1 Checkmk | 2025-08-25 | N/A | 7.5 HIGH |
|
Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p29, <2.2.0p41 and <=2.1.0p49 (EOL) causes remote site authentication secrets to be written to log files accessible to administrators.
|
|||||
| CVE-2025-2596 | 1 Checkmk | 1 Checkmk | 2025-08-25 | N/A | 5.3 MEDIUM |
|
Session logout could be overwritten in Checkmk GmbH's Checkmk versions <2.3.0p30, <2.2.0p41, and 2.1.0p49 (EOL)
|
|||||
| CVE-2025-1075 | 1 Checkmk | 1 Checkmk | 2025-08-25 | N/A | 7.5 HIGH |
|
Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p27, <2.2.0p40, and 2.1.0p51 (EOL) causes LDAP credentials to be written to Apache error log file accessible to administrators.
|
|||||
| CVE-2025-32917 | 1 Checkmk | 1 Checkmk | 2025-08-22 | N/A | 8.8 HIGH |
|
Privilege escalation in jar_signature agent plugin in Checkmk versions <2.4.0b7 (beta), <2.3.0p32, <2.2.0p42, and 2.1.0p49 (EOL) allow user with write access to JAVA_HOME/bin directory to escalate privileges.
|
|||||
| CVE-2025-1712 | 1 Checkmk | 1 Checkmk | 2025-08-22 | N/A | 8.8 HIGH |
|
Argument injection in special agent configuration in Checkmk <2.4.0p1, <2.3.0p32, <2.2.0p42 and 2.1.0 allows authenticated attackers to write arbitrary files
|
|||||
| CVE-2025-32918 | 1 Checkmk | 1 Checkmk | 2025-08-22 | N/A | 8.8 HIGH |
|
Improper neutralization of Livestatus command delimiters in autocomplete endpoint within the RestAPI of Checkmk versions <2.4.0p6, <2.3.0p35, <2.2.0p44, and 2.1.0 (EOL) allows an authenticated user to inject arbitrary Livestatus commands.
|
|||||
| CVE-2024-38865 | 1 Checkmk | 1 Checkmk | 2025-08-21 | N/A | 8.8 HIGH |
|
Improper neutralization of livestatus command delimiters in a specific endpoint within RestAPI of Checkmk prior to 2.2.0p39, 2.3.0p25, and 2.1.0p51 (EOL) allows arbitrary livestatus command execution. Exploitation requires the attacker to have a contact group assigned to their user account and for an event to originate from a host with the same contact group or from an event generated with an unknown host.
|
|||||
| CVE-2017-14955 | 1 Checkmk | 1 Checkmk | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
|
Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, which allows remote attackers to obtain sensitive user information by reading a GUI crash report.
|
|||||
| CVE-2023-31207 | 1 Checkmk | 1 Checkmk | 2025-01-30 | N/A | 4.4 MEDIUM |
|
Transmission of credentials within query parameters in Checkmk <= 2.1.0p26, <= 2.0.0p35, and <= 2.2.0b6 (beta) may cause the automation user's secret to be written to the site Apache access log.
|
|||||
| CVE-2024-38860 | 1 Checkmk | 1 Checkmk | 2024-12-11 | N/A | 6.1 MEDIUM |
|
Improper neutralization of input in Checkmk before versions 2.3.0p16 and 2.2.0p34 allows attackers to craft malicious links that can facilitate phishing attacks.
|
|||||
| CVE-2024-0670 | 2 Checkmk, Microsoft | 2 Checkmk, Windows | 2024-12-09 | N/A | 8.8 HIGH |
|
Privilege escalation in windows agent plugin in Checkmk before 2.2.0p23, 2.1.0p40 and 2.0.0 (EOL) allows local user to escalate privileges
|
|||||
| CVE-2024-28825 | 1 Checkmk | 1 Checkmk | 2024-12-09 | N/A | 5.9 MEDIUM |
|
Improper restriction of excessive authentication attempts on some authentication methods in Checkmk before 2.3.0b5 (beta), 2.2.0p26, 2.1.0p43, and in Checkmk 2.0.0 (EOL) facilitates password brute-forcing.
|
|||||
| CVE-2024-3367 | 1 Checkmk | 1 Checkmk | 2024-12-05 | N/A | 6.5 MEDIUM |
|
Argument injection in websphere_mq agent plugin in Checkmk 2.0.0, 2.1.0, <2.2.0p26 and <2.3.0b5 allows local attacker to inject one argument to runmqsc
|
|||||
| CVE-2024-2380 | 1 Checkmk | 1 Checkmk | 2024-12-04 | N/A | 4.6 MEDIUM |
|
Stored XSS in graph rendering in Checkmk <2.3.0b4.
|
|||||
| CVE-2024-0638 | 1 Checkmk | 1 Checkmk | 2024-12-04 | N/A | 8.2 HIGH |
|
Least privilege violation in the Checkmk agent plugins mk_oracle, mk_oracle.ps1, and mk_oracle_crs before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges.
|
|||||
| CVE-2024-1742 | 1 Checkmk | 1 Checkmk | 2024-12-04 | N/A | 3.8 LOW |
|
Invocation of the sqlplus command with sensitive information in the command line in the mk_oracle Checkmk agent plugin before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows the extraction of this information from the process list.
|
|||||
| CVE-2024-28824 | 1 Checkmk | 1 Checkmk | 2024-12-04 | N/A | 8.8 HIGH |
|
Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges.
|
|||||
| CVE-2024-28826 | 1 Checkmk | 1 Checkmk | 2024-12-04 | N/A | 8.8 HIGH |
|
Improper restriction of local upload and download paths in check_sftp in Checkmk before 2.3.0p4, 2.2.0p27, 2.1.0p44, and in Checkmk 2.0.0 (EOL) allows attackers with sufficient permissions to configure the check to read and write local files on the Checkmk site server.
|
|||||
| CVE-2024-28831 | 1 Checkmk | 1 Checkmk | 2024-12-04 | N/A | 5.4 MEDIUM |
|
Stored XSS in some confirmation pop-ups in Checkmk before versions 2.3.0p7 and 2.2.0p28 allows Checkmk users to execute arbitrary scripts by injecting HTML elements into some user input fields that are shown in a confirmation pop-up.
|
|||||
| CVE-2024-28832 | 1 Checkmk | 1 Checkmk | 2024-12-04 | N/A | 4.8 MEDIUM |
|
Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows users with permission to change Global Settings to execute arbitrary scripts by injecting HTML elements into the Crash Report URL in the Global Settings.
|
|||||
| CVE-2024-28830 | 1 Checkmk | 1 Checkmk | 2024-12-04 | N/A | 2.7 LOW |
|
Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p7, <2.2.0p28, <2.1.0p45 and <=2.0.0p39 (EOL) causes automation user secrets to be written to audit log files accessible to administrators.
|
|||||
| CVE-2024-38857 | 1 Checkmk | 1 Checkmk | 2024-12-04 | N/A | 4.3 MEDIUM |
|
Improper neutralization of input in Checkmk before versions 2.3.0p8, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows attackers to craft malicious links that can facilitate phishing attacks.
|
|||||
| CVE-2024-28827 | 1 Checkmk | 1 Checkmk | 2024-12-04 | N/A | 8.8 HIGH |
|
Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) allows a local attacker to gain SYSTEM privileges.
|
|||||
| CVE-2024-47094 | 1 Checkmk | 1 Checkmk | 2024-12-03 | N/A | 5.5 MEDIUM |
|
Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p22, <2.2.0p37, <2.1.0p50 (EOL) causes remote site secrets to be written to web log files accessible to local site users.
|
|||||