CVE-2025-39663HIGH 8.4EPSS p42.0%

CVE-2025-39663CVE-2025-39663

Description

Cross-Site Scripting (XSS) vulnerability in Checkmk's distributed monitoring allows a compromised remote site to inject malicious HTML code into service outputs in the central site. Affecting Checkmk before 2.4.0p14, 2.3.0p39, 2.2.0 and 2.1.0 (eol).

Scoring

CVSS 3.18.4 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
EPSS0.56% probability of exploitation · percentile 42.0% · 2026-06-19T12:03:05Z
Published2025-10-30
Last modified2025-12-03

Underlying weaknesses· 2

CWE-80CWE-79

References

  1. https://checkmk.com/werk/17998
  2. https://github.com/sbaresearch/advisories/tree/82fd27e4570433464c30b35150b197db9a850f4e/2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting
  3. http://seclists.org/fulldisclosure/2025/Nov/0
  4. https://github.com/sbaresearch/advisories/tree/82fd27e4570433464c30b35150b197db9a850f4e/2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live
WeaknessImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)cwe-800%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-9549
CVE
CVE-2026-8833
CVE
CVE-2026-7186
CVE
CVE-2026-8078
CVE
CVE-2025-32918
CVE
CVE-2026-24096
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.