{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33455", "assignerOrgId": "f7d6281c-4801-44ce-ace2-493291dedb0f", "state": "PUBLISHED", "assignerShortName": "Checkmk", "dateReserved": "2026-03-20T10:30:13.352Z", "datePublished": "2026-04-10T08:30:20.089Z", "dateUpdated": "2026-04-10T12:48:27.066Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Checkmk", "vendor": "Checkmk GmbH", "versions": [{"lessThan": "2.5.0b4", "status": "affected", "version": "2.5.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in search filter plugins."}], "impacts": [{"capecId": "CAPEC-15", "descriptions": [{"lang": "en", "value": "CAPEC-15: Command Delimiters"}]}], "metrics": [{"cvssV4_0": {"baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-140", "description": "CWE-140: Improper Neutralization of Delimiters", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f7d6281c-4801-44ce-ace2-493291dedb0f", "shortName": "Checkmk", "dateUpdated": "2026-04-10T08:30:20.089Z"}, "references": [{"url": "https://checkmk.com/werk/17988", "tags": ["vendor-advisory"]}], "title": "Livestatus injection in monitoring quicksearch", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.5.0b1", "versionEndExcluding": "2.5.0b4"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T12:48:16.804539Z", "id": "CVE-2026-33455", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T12:48:27.066Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33455", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T12:48:16.804539Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T12:48:23.351Z"}}], "cna": {"title": "Livestatus injection in monitoring quicksearch", "impacts": [{"capecId": "CAPEC-15", "descriptions": [{"lang": "en", "value": "CAPEC-15: Command Delimiters"}]}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"}}], "affected": [{"vendor": "Checkmk GmbH", "product": "Checkmk", "versions": [{"status": "affected", "version": "2.5.0", "lessThan": "2.5.0b4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://checkmk.com/werk/17988", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in search filter plugins."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-140", "description": "CWE-140: Improper Neutralization of Delimiters"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.5.0b4", "versionStartIncluding": "2.5.0b1"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f7d6281c-4801-44ce-ace2-493291dedb0f", "shortName": "Checkmk", "dateUpdated": "2026-04-10T08:30:20.089Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33455", "state": "PUBLISHED", "dateUpdated": "2026-04-10T12:48:27.066Z", "dateReserved": "2026-03-20T10:30:13.352Z", "assignerOrgId": "f7d6281c-4801-44ce-ace2-493291dedb0f", "datePublished": "2026-04-10T08:30:20.089Z", "assignerShortName": "Checkmk"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in search filter plugins."}], "id": "CVE-2026-33455", "lastModified": "2026-04-10T09:16:23.447", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@checkmk.com", "type": "Secondary"}]}, "published": "2026-04-10T09:16:23.447", "references": [{"source": "security@checkmk.com", "url": "https://checkmk.com/werk/17988"}], "sourceIdentifier": "security@checkmk.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-140"}], "source": "security@checkmk.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-10T09:21:28.371235+00:00", "value": {"mitigation_remediation": ["Ensure Checkmk is updated to version 2.5.0b4 or later.", "If an upgrade is not immediately possible, restrict access to the monitoring interface so that only trusted and vetted personnel can use the Quicksearch feature.", "Monitor web interface logs for unusual Livestatus command patterns that may indicate an attempt to exploit the injection point."], "summary": {"action": "Patch", "impact": "Command injection"}, "threat_synthesis": {"affected_systems": "The flaw exists in Checkmk released by Checkmk GmbH, specifically in versions older than 2.5.0b4. The Quicksearch component of the web interface is the affected area.", "description_and_impact": "Checkmk Quicksearch allows a user to submit a search query that is processed by filter plugins. Because the input is not adequately sanitized, an authenticated user can embed Livestatus commands inside the query. This injection lets the attacker execute arbitrary Livestatus requests, potentially changing monitoring state, retrieving sensitive data, or escalating privileges within the monitoring system.", "risk_and_exploitability": "The base CVSS score of 5.3 indicates a moderate severity. EPSS information is not available and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to be authenticated to the Checkmk web interface, after which a crafted query can inject Livestatus commands. No special privileges or preconditions beyond authentication are required, making the attack vector relatively straightforward for authorized users."}}}}, "created": "2026-04-10T09:26:22.731635+00:00", "updated": "2026-04-10T09:26:22.731721+00:00", "vendors": []}