Total
84 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-39663 | 1 Checkmk | 1 Checkmk | 2025-12-03 | N/A | 8.4 HIGH |
| Cross-Site Scripting (XSS) vulnerability in Checkmk's distributed monitoring allows a compromised remote site to inject malicious HTML code into service outputs in the central site. Affecting Checkmk before 2.4.0p14, 2.3.0p39, 2.2.0 and 2.1.0 (eol). | |||||
| CVE-2025-58121 | 1 Checkmk | 1 Checkmk | 2025-11-24 | N/A | 5.4 MEDIUM |
| Insufficient permission validation on multiple REST API endpoints in Checkmk 2.2.0, 2.3.0, and 2.4.0 before version 2.4.0p16 allows low-privileged users to perform unauthorized actions or obtain sensitive information | |||||
| CVE-2025-64996 | 1 Checkmk | 1 Checkmk | 2025-11-24 | N/A | 4.4 MEDIUM |
| In Checkmk versions prior to 2.4.0p16, 2.3.0p41, and all versions of 2.2.0 and older, the mk_inotify plugin creates world-readable and writable files, allowing any local user on the system to read the plugin's output and manipulate it, potentially leading to unauthorized access to or modification of monitoring data. | |||||
| CVE-2025-58122 | 1 Checkmk | 1 Checkmk | 2025-11-24 | N/A | 5.4 MEDIUM |
| Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged users to modify notification parameters via the REST API, which could lead to unauthorized actions or information disclosure. | |||||
| CVE-2024-6163 | 1 Checkmk | 1 Checkmk | 2025-08-27 | N/A | 5.3 MEDIUM |
| Certain http endpoints of Checkmk in Checkmk < 2.3.0p10 < 2.2.0p31, < 2.1.0p46, <= 2.0.0p39 allows remote attacker to bypass authentication and access data | |||||
| CVE-2025-32915 | 3 Checkmk, Linux, Oracle | 3 Checkmk, Linux Kernel, Solaris | 2025-08-26 | N/A | 5.5 MEDIUM |
| Packages downloaded by Checkmk's automatic agent updates on Linux and Solaris have incorrect permissions in Checkmk < 2.4.0p1, < 2.3.0p32, < 2.2.0p42 and <= 2.1.0p49 (EOL). This allows a local attacker to read sensitive data. | |||||
| CVE-2024-38864 | 2 Checkmk, Microsoft | 2 Checkmk, Windows | 2025-08-25 | N/A | 3.3 LOW |
| Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p23, < 2.2.0p38 and <= 2.1.0p49 (EOL) allows a local attacker to read sensitive data. | |||||
| CVE-2024-6572 | 1 Checkmk | 1 Checkmk | 2025-08-25 | N/A | 7.4 HIGH |
| Improper host key checking in active check 'Check SFTP Service' and special agent 'VNX quotas and filesystem' in Checkmk before Checkmk 2.3.0p15, 2.2.0p33, 2.1.0p48 and 2.0.0 (EOL) allows man-in-the-middle attackers to intercept traffic | |||||
| CVE-2025-3506 | 1 Checkmk | 1 Checkmk | 2025-08-25 | N/A | 5.3 MEDIUM |
| Files to be deployed with agents are accessible without authentication in Checkmk 2.1.0, Checkmk 2.2.0, Checkmk 2.3.0 and <Checkmk 2.4.0b6 allows attacker to access files that could contain secrets. | |||||
| CVE-2025-2092 | 1 Checkmk | 1 Checkmk | 2025-08-25 | N/A | 7.5 HIGH |
| Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p29, <2.2.0p41 and <=2.1.0p49 (EOL) causes remote site authentication secrets to be written to log files accessible to administrators. | |||||
| CVE-2025-2596 | 1 Checkmk | 1 Checkmk | 2025-08-25 | N/A | 5.3 MEDIUM |
| Session logout could be overwritten in Checkmk GmbH's Checkmk versions <2.3.0p30, <2.2.0p41, and 2.1.0p49 (EOL) | |||||
| CVE-2025-1075 | 1 Checkmk | 1 Checkmk | 2025-08-25 | N/A | 7.5 HIGH |
| Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p27, <2.2.0p40, and 2.1.0p51 (EOL) causes LDAP credentials to be written to Apache error log file accessible to administrators. | |||||
| CVE-2025-32917 | 1 Checkmk | 1 Checkmk | 2025-08-22 | N/A | 8.8 HIGH |
| Privilege escalation in jar_signature agent plugin in Checkmk versions <2.4.0b7 (beta), <2.3.0p32, <2.2.0p42, and 2.1.0p49 (EOL) allow user with write access to JAVA_HOME/bin directory to escalate privileges. | |||||
| CVE-2025-1712 | 1 Checkmk | 1 Checkmk | 2025-08-22 | N/A | 8.8 HIGH |
| Argument injection in special agent configuration in Checkmk <2.4.0p1, <2.3.0p32, <2.2.0p42 and 2.1.0 allows authenticated attackers to write arbitrary files | |||||
| CVE-2025-32918 | 1 Checkmk | 1 Checkmk | 2025-08-22 | N/A | 8.8 HIGH |
| Improper neutralization of Livestatus command delimiters in autocomplete endpoint within the RestAPI of Checkmk versions <2.4.0p6, <2.3.0p35, <2.2.0p44, and 2.1.0 (EOL) allows an authenticated user to inject arbitrary Livestatus commands. | |||||
| CVE-2024-38865 | 1 Checkmk | 1 Checkmk | 2025-08-21 | N/A | 8.8 HIGH |
| Improper neutralization of livestatus command delimiters in a specific endpoint within RestAPI of Checkmk prior to 2.2.0p39, 2.3.0p25, and 2.1.0p51 (EOL) allows arbitrary livestatus command execution. Exploitation requires the attacker to have a contact group assigned to their user account and for an event to originate from a host with the same contact group or from an event generated with an unknown host. | |||||
| CVE-2017-14955 | 1 Checkmk | 1 Checkmk | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, which allows remote attackers to obtain sensitive user information by reading a GUI crash report. | |||||
| CVE-2023-31207 | 1 Checkmk | 1 Checkmk | 2025-01-30 | N/A | 4.4 MEDIUM |
| Transmission of credentials within query parameters in Checkmk <= 2.1.0p26, <= 2.0.0p35, and <= 2.2.0b6 (beta) may cause the automation user's secret to be written to the site Apache access log. | |||||
| CVE-2024-38860 | 1 Checkmk | 1 Checkmk | 2024-12-11 | N/A | 6.1 MEDIUM |
| Improper neutralization of input in Checkmk before versions 2.3.0p16 and 2.2.0p34 allows attackers to craft malicious links that can facilitate phishing attacks. | |||||
| CVE-2024-0670 | 2 Checkmk, Microsoft | 2 Checkmk, Windows | 2024-12-09 | N/A | 8.8 HIGH |
| Privilege escalation in windows agent plugin in Checkmk before 2.2.0p23, 2.1.0p40 and 2.0.0 (EOL) allows local user to escalate privileges | |||||