UBUNTU-CVE-2026-9549

Source
https://ubuntu.com/security/CVE-2026-9549
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9549.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-9549
Upstream
Published
2026-06-08T13:16:00Z
Modified
2026-06-11T13:02:02Z
Severity
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N CVSS Calculator
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

Stored cross-site scripting in the service discovery active check output in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an admin or a user with host read permissions when they run the check on the service discovery page.

References

Affected packages

Ubuntu:Pro:16.04:LTS / check-mk

Package

Name
check-mk
Purl
pkg:deb/ubuntu/check-mk?arch=source&distro=esm-apps%2Fxenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.2.6p5-1
1.2.6p12-1
1.2.6p12-1ubuntu0.16.04.1
1.2.6p12-1ubuntu0.16.04.1+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.2.6p12-1ubuntu0.16.04.1+esm1",
            "binary_name": "check-mk-agent"
        },
        {
            "binary_version": "1.2.6p12-1ubuntu0.16.04.1+esm1",
            "binary_name": "check-mk-agent-logwatch"
        },
        {
            "binary_version": "1.2.6p12-1ubuntu0.16.04.1+esm1",
            "binary_name": "check-mk-config-icinga"
        },
        {
            "binary_version": "1.2.6p12-1ubuntu0.16.04.1+esm1",
            "binary_name": "check-mk-config-nagios3"
        },
        {
            "binary_version": "1.2.6p12-1ubuntu0.16.04.1+esm1",
            "binary_name": "check-mk-livestatus"
        },
        {
            "binary_version": "1.2.6p12-1ubuntu0.16.04.1+esm1",
            "binary_name": "check-mk-multisite"
        },
        {
            "binary_version": "1.2.6p12-1ubuntu0.16.04.1+esm1",
            "binary_name": "check-mk-server"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9549.json"

Ubuntu:18.04:LTS / check-mk

Package

Name
check-mk
Purl
pkg:deb/ubuntu/check-mk?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.2.8p16-1ubuntu0.1
1.2.8p16-1ubuntu0.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.2.8p16-1ubuntu0.2",
            "binary_name": "check-mk-agent"
        },
        {
            "binary_version": "1.2.8p16-1ubuntu0.2",
            "binary_name": "check-mk-agent-logwatch"
        },
        {
            "binary_version": "1.2.8p16-1ubuntu0.2",
            "binary_name": "check-mk-config-icinga"
        },
        {
            "binary_version": "1.2.8p16-1ubuntu0.2",
            "binary_name": "check-mk-livestatus"
        },
        {
            "binary_version": "1.2.8p16-1ubuntu0.2",
            "binary_name": "check-mk-multisite"
        },
        {
            "binary_version": "1.2.8p16-1ubuntu0.2",
            "binary_name": "check-mk-server"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9549.json"