QwikSec

Security Database

CVE

CWE

Training

CVE-2025-64999

Published: Feb 26, 2026

Modified: Apr 14, 2026

PUBLISHED

Description

Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link.

Vendor	Product	Versions
Checkmk GmbH	Checkmk	affected `2.4.0 - < 2.4.0p22` affected `2.3.0 - < 2.3.0p43`

Weaknesses (CWE)

References

https://checkmk.com/werk/19238

vendor-advisory

https://github.com/sbaresearch/advisories/tree/e72ce9bb6b9ffffc1fc35e4d8152ad153293c851/2025/SBA-ADV-20251118-01_Checkmk_Cross_Site_Scripting

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.