Vulnerabilities ›

CVE-2026-20915

Medium

Stored cross-site scripting (XSS) in Checkmk version 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create pending changes to inject malicious JavaScript into the Pending Ch

CWE-79 — Weakness Type

                    Published: Mar 31, 2026                      ·  Modified: Apr 2, 2026                      ·  Source: NVD                

CVSS v3

5.4

🔗 NVD Official

📄 Description (English)

🤖 AI Executive Summary

Checkmk 2.5.0 beta 1 contains a stored XSS vulnerability in the Pending Changes sidebar that allows authenticated users to inject malicious JavaScript affecting other users. While currently in beta with no public exploit, this vulnerability poses a risk to organizations using Checkmk for infrastructure monitoring. The lack of a patch requires immediate mitigation through access controls and version management.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 26, 2026 14:58

🇸🇦 Saudi Arabia Impact Assessment

Saudi government agencies, telecommunications operators (STC, Mobily), and critical infrastructure providers using Checkmk for monitoring face insider threat risks. Banking sector (SAMA-regulated institutions) and energy sector (ARAMCO, power utilities) relying on Checkmk for operational monitoring could experience compromised visibility into critical systems. The vulnerability primarily affects organizations in beta testing phases, but production deployments upgrading to 2.5.0 are at risk. Impact is limited to authenticated users with change permissions, reducing blast radius but increasing insider threat concern.

🏢 Affected Saudi Sectors

Government & Public Administration Telecommunications (STC, Mobily, Zain) Banking & Financial Services (SAMA-regulated) Energy & Utilities (ARAMCO, power generation) Healthcare Critical Infrastructure Operators

🎯 MITRE ATT&CK Techniques

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application T1598 - Phishing - Spearphishing Link T1566 - Phishing T1204 - User Execution T1539 - Steal Web Session Cookie T1056 - Input Capture

⚖️ Saudi Risk Score (AI)

4.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Audit all Checkmk 2.5.0 beta 1 deployments in your environment

2. Restrict 'Create Pending Changes' permissions to only trusted administrators

3. Implement role-based access control (RBAC) limiting who can create pending changes

4. Monitor Pending Changes sidebar access logs for suspicious activity

Patching Guidance:

1. Do NOT deploy Checkmk 2.5.0 beta 1 to production environments

2. Remain on stable release versions (2.4.x or earlier) until 2.5.0 final release with security patches

3. When 2.5.0b2 or later becomes available, test thoroughly before deployment

4. Subscribe to Checkmk security advisories for patch availability

Compensating Controls:

1. Implement Content Security Policy (CSP) headers at reverse proxy/WAF level

2. Deploy Web Application Firewall (WAF) rules to detect XSS patterns in Pending Changes submissions

3. Enable browser security extensions (NoScript, uBlock Origin) for administrative users

4. Implement network segmentation isolating Checkmk administrative interfaces

5. Enable detailed audit logging of all Pending Changes creation and modifications

Detection Rules:

1. Monitor for JavaScript keywords (script, onerror, onload, eval) in Pending Changes API submissions

2. Alert on Pending Changes modifications by non-standard administrative accounts

3. Track unusual sidebar rendering errors or JavaScript console warnings

4. Monitor for multiple users accessing Pending Changes sidebar simultaneously after suspicious changes

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع نشرات Checkmk 2.5.0 بيتا 1 في بيئتك

2. تقييد صلاحيات 'إنشاء التغييرات المعلقة' للمسؤولين الموثوقين فقط

3. تطبيق التحكم في الوصول القائم على الأدوار (RBAC) لتحديد من يمكنه إنشاء تغييرات معلقة

4. مراقبة سجلات الوصول إلى شريط التغييرات المعلقة للنشاط المريب

إرشادات التصحيح:

1. عدم نشر Checkmk 2.5.0 بيتا 1 في بيئات الإنتاج

2. البقاء على إصدارات مستقرة (2.4.x أو أقدم) حتى إصدار 2.5.0 النهائي مع تصحيحات الأمان

3. عند توفر 2.5.0b2 أو إصدار لاحق، اختبر بدقة قبل النشر

4. اشترك في تنبيهات أمان Checkmk لتوفر التصحيحات

الضوابط البديلة:

1. تطبيق رؤوس سياسة أمان المحتوى (CSP) على مستوى الوكيل العكسي/WAF

2. نشر قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن أنماط XSS في تقديمات التغييرات المعلقة

3. تفعيل امتدادات أمان المتصفح (NoScript، uBlock Origin) للمستخدمين الإداريين

4. تطبيق تقسيم الشبكة لعزل واجهات إدارة Checkmk

5. تفعيل تسجيل التدقيق التفصيلي لجميع عمليات إنشاء وتعديل التغييرات المعلقة

قواعد الكشف:

1. مراقبة كلمات JavaScript الرئيسية (script، onerror، onload، eval) في تقديمات API للتغييرات المعلقة

2. تنبيه على تعديلات التغييرات المعلقة من قبل حسابات إدارية غير قياسية

3. تتبع أخطاء عرض الشريط الجانبي غير المعتادة أو تحذيرات وحدة تحكم JavaScript

4. مراقبة وصول عدة مستخدمين إلى شريط التغييرات المعلقة في نفس الوقت بعد تغييرات مريبة

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information security policies and procedures A.6.1.1 - User access management and authentication A.6.2.1 - User access rights review A.7.1.1 - Physical and logical access controls A.12.2.1 - Change management procedures A.12.4.1 - Event logging and monitoring A.14.2.1 - Secure development and testing

🔵 SAMA CSF

Governance & Risk Management - Access Control Policies Information & Cybersecurity - Application Security Information & Cybersecurity - Vulnerability Management Operational Resilience - Change Management Operational Resilience - Monitoring & Detection

🟡 ISO 27001:2022

A.5.1 - Management direction for information security A.6.1 - Organizational controls for access management A.6.2 - User access management A.8.1 - User endpoint devices A.8.2 - Privileged access rights A.12.2 - Change management A.12.4 - Event logging A.14.2 - Secure development policy

🔗 References & Sources 1

🔗

https://checkmk.com/werk/19526

security@checkmk.com

Vendor Advisory

📦 Affected Products / CPE 1 entries

checkmk:checkmk:2.5.0

📊 CVSS Score

5.4

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionR — Required

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score5.4

CWECWE-79

EPSS0.03%

Exploit No

Patch ✗ No

Published 2026-03-31

Source Feed nvd

🇸🇦 Saudi Risk Score

4.2

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-79

🏢 Vendor Advisories

🔗 https://checkmk.com/werk/19526

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-20915

💬 Comments

Introduce Yourself

Sign In Required