{"id":"CVE-2026-33456","summary":"Potential livestatus injection in notification test","details":"Livestatus injection in the notification test mode in Checkmk \u003c2.5.0b4 and \u003c2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description.","modified":"2026-07-08T07:32:33.897117182Z","published":"2026-04-10T08:31:27.807Z","database_specific":{"cwe_ids":["CWE-140"],"unresolved_ranges":[{"extracted_events":[{"introduced":"2.5.0"},{"fixed":"2.5.0b4"},{"introduced":"2.4.0"},{"fixed":"2.4.0p26"}],"source":"AFFECTED_FIELD"},{"extracted_events":[{"introduced":"2.5.0"},{"fixed":"2.5.0b4"},{"introduced":"2.4.0"},{"fixed":"2.4.0p26"}],"source":"CPE_FIELD"}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33456.json","cna_assigner":"Checkmk"},"references":[{"type":"ADVISORY","url":"https://checkmk.com/werk/17989"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33456.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33456"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/checkmk/checkmk","events":[{"introduced":"4abde4a41de677e103561e4fb75b81f6ee8b80dd"},{"last_affected":"14b86ce30afda1554eaa997f6dfb850bb9a2bee6"}],"database_specific":{"extracted_events":[{"introduced":"2.4.0-NA"},{"last_affected":"2.4.0-NA"},{"introduced":"2.4.0-b1"},{"last_affected":"2.4.0-b1"},{"introduced":"2.4.0-p1"},{"last_affected":"2.4.0-p1"},{"introduced":"2.4.0-b2"},{"last_affected":"2.4.0-b2"},{"introduced":"2.4.0-p2"},{"last_affected":"2.4.0-p2"},{"introduced":"2.4.0-b3"},{"last_affected":"2.4.0-b3"},{"introduced":"2.4.0-p3"},{"last_affected":"2.4.0-p3"},{"introduced":"2.4.0-b4"},{"last_affected":"2.4.0-b4"},{"introduced":"2.4.0-p4"},{"last_affected":"2.4.0-p4"},{"introduced":"2.4.0-b5"},{"last_affected":"2.4.0-b5"},{"introduced":"2.4.0-p5"},{"last_affected":"2.4.0-p5"},{"introduced":"2.4.0-b6"},{"last_affected":"2.4.0-b6"},{"introduced":"2.4.0-p6"},{"last_affected":"2.4.0-p6"},{"introduced":"2.4.0-p10"},{"last_affected":"2.4.0-p10"},{"introduced":"2.4.0-p11"},{"last_affected":"2.4.0-p11"},{"introduced":"2.4.0-p12"},{"last_affected":"2.4.0-p12"},{"introduced":"2.4.0-p13"},{"last_affected":"2.4.0-p13"},{"introduced":"2.4.0-p14"},{"last_affected":"2.4.0-p14"},{"introduced":"2.4.0-p15"},{"last_affected":"2.4.0-p15"},{"introduced":"2.4.0-p16"},{"last_affected":"2.4.0-p16"},{"introduced":"2.4.0-p17"},{"last_affected":"2.4.0-p17"},{"introduced":"2.4.0-p18"},{"last_affected":"2.4.0-p18"},{"introduced":"2.4.0-p19"},{"last_affected":"2.4.0-p19"},{"introduced":"2.4.0-p20"},{"last_affected":"2.4.0-p20"},{"introduced":"2.4.0-p21"},{"last_affected":"2.4.0-p21"},{"introduced":"2.4.0-p22"},{"last_affected":"2.4.0-p22"},{"introduced":"2.4.0-p23"},{"last_affected":"2.4.0-p23"},{"introduced":"2.4.0-p24"},{"last_affected":"2.4.0-p24"},{"introduced":"2.4.0-p25"},{"last_affected":"2.4.0-p25"},{"introduced":"2.4.0-p7"},{"last_affected":"2.4.0-p7"},{"introduced":"2.4.0-p8"},{"last_affected":"2.4.0-p8"},{"introduced":"2.4.0-p9"},{"last_affected":"2.4.0-p9"},{"introduced":"2.5.0-b1"},{"last_affected":"2.5.0-b1"},{"introduced":"2.5.0-b2"},{"last_affected":"2.5.0-b2"},{"introduced":"2.5.0-b3"},{"last_affected":"2.5.0-b3"}],"source":"CPE_STRING","cpe":["cpe:2.3:a:checkmk:checkmk:2.4.0:-:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:b1:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p1:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:b2:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p2:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:b3:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p3:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:b4:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p4:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:b5:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p5:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:b6:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p6:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p10:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p11:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p12:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p13:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p14:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p15:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p16:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p17:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p18:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p19:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p20:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p21:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p22:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p23:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p24:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p25:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p7:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p8:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.4.0:p9:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.5.0:b1:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.5.0:b2:*:*:*:*:*:*","cpe:2.3:a:checkmk:checkmk:2.5.0:b3:*:*:*:*:*:*"]}}],"versions":["2.4.0-NA","2.4.0-b1","2.4.0-b2","2.4.0-b3","2.4.0-b4","2.4.0-b5","2.4.0-b6","2.4.0-p10","2.4.0-p11","2.4.0-p12","2.4.0-p13","2.4.0-p14","2.4.0-p15","2.4.0-p16","2.4.0-p17","2.4.0-p18","2.4.0-p19","2.4.0-p20","2.4.0-p21","2.4.0-p22","2.4.0-p23","2.4.0-p24","2.4.0-p25","2.4.0-p7","2.4.0-p8","2.4.0-p9","2.5.0-b1","2.5.0-b2","2.5.0-b3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33456.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"}]}