CVE-2026-33456

EUVD-2026-21344
Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.6 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 14%
Affected Products (NVD)
VendorProductVersion
checkmkcheckmk
2.4.0
checkmkcheckmk
2.4.0:b1
checkmkcheckmk
2.4.0:b2
checkmkcheckmk
2.4.0:b3
checkmkcheckmk
2.4.0:b4
checkmkcheckmk
2.4.0:b5
checkmkcheckmk
2.4.0:b6
checkmkcheckmk
2.4.0:p1
checkmkcheckmk
2.4.0:p10
checkmkcheckmk
2.4.0:p11
checkmkcheckmk
2.4.0:p12
checkmkcheckmk
2.4.0:p13
checkmkcheckmk
2.4.0:p14
checkmkcheckmk
2.4.0:p15
checkmkcheckmk
2.4.0:p16
checkmkcheckmk
2.4.0:p17
checkmkcheckmk
2.4.0:p18
checkmkcheckmk
2.4.0:p19
checkmkcheckmk
2.4.0:p2
checkmkcheckmk
2.4.0:p20
checkmkcheckmk
2.4.0:p21
checkmkcheckmk
2.4.0:p22
checkmkcheckmk
2.4.0:p23
checkmkcheckmk
2.4.0:p24
checkmkcheckmk
2.4.0:p25
checkmkcheckmk
2.4.0:p3
checkmkcheckmk
2.4.0:p4
checkmkcheckmk
2.4.0:p5
checkmkcheckmk
2.4.0:p6
checkmkcheckmk
2.4.0:p7
checkmkcheckmk
2.4.0:p8
checkmkcheckmk
2.4.0:p9
checkmkcheckmk
2.5.0:b1
checkmkcheckmk
2.5.0:b2
checkmkcheckmk
2.5.0:b3
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
check-mk
bionic
needs-triage
jammy
dne
noble
dne
questing
dne
resolute
dne
xenial
ignored
Common Weakness Enumeration
References
https://checkmk.com/werk/17989