CVE-2026-33276

Source
https://cve.org/CVERecord?id=CVE-2026-33276
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33276.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33276
Downstream
Published
2026-03-31T13:44:17.857Z
Modified
2026-07-08T07:32:33.143816039Z
Severity
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N CVSS Calculator
Summary
XSS in Unified Search via Unescaped Host/Service Names
Details

Stored cross-site scripting (XSS) in Checkmk 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other users performing searches in the Unified Search feature.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "2.5.0b1"
                },
                {
                    "fixed": "2.5.0b2"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "introduced": "2.5.0b1"
                },
                {
                    "fixed": "2.5.0b2"
                }
            ]
        },
        {
            "source": "DESCRIPTION",
            "extracted_events": [
                {
                    "fixed": "2.5.0b2"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33276.json",
    "cna_assigner": "Checkmk",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/checkmk/checkmk

Affected ranges

Type
GIT
Repo
https://github.com/checkmk/checkmk
Events
Database specific
{
    "source": "CPE_STRING",
    "cpe": "cpe:2.3:a:checkmk:checkmk:2.5.0:b1:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "2.5.0-b1"
        },
        {
            "last_affected": "2.5.0-b1"
        }
    ]
}

Affected versions

2.*
2.5.0-b1
v2.*
v2.5.0p1
v2.5.0p1-rc2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33276.json"