Security Vulnerabilities
When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes.
This only affects users who allow API access from untrusted networks.
CVSS Score
8.2
EPSS Score
0.001
Published
2026-06-08
When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes.
CVSS Score
8.7
EPSS Score
0.001
Published
2026-06-08
Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.
CVSS Score
8.3
EPSS Score
0.001
Published
2026-06-08
Stored cross-site scripting in the service discovery active check output in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an admin or a user with host read permissions when they run the check on the service discovery page.
CVSS Score
4.8
EPSS Score
0.0
Published
2026-06-08
Stored cross-site scripting in the URL dashboard widget in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the dashboard.
CVSS Score
8.5
EPSS Score
0.0
Published
2026-06-08
Incorrect authorization in the User Messages dashboard widget in Checkmk <2.5.0p5 causes the message-fetching endpoints to return the dashboard creator's messages rather than the viewer's, allowing an attacker who knows a valid public dashboard share token to read the issuer's personal messages by sending requests to the underlying endpoint, even without a User Messages widget present.
CVSS Score
6.3
EPSS Score
0.0
Published
2026-06-08
Stored cross-site scripting in the global settings change log in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can change global settings to store malicious HTML or JavaScript in changelog messages that executes in other users' browsers when they view the Activate Changes page or Audit log.
CVSS Score
4.8
EPSS Score
0.0
Published
2026-06-08
Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another user interacts with the crafted link.
CVSS Score
8.5
EPSS Score
0.0
Published
2026-06-08
CVE-2026-50751
A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.
Known exploited
CVSS Score
9.3
EPSS Score
0.137
Published
2026-06-08
A vulnerability has been found in D-Link DCS-5615 1.01.00. Affected by this vulnerability is an unknown functionality of the file /etc/conf.d/boa/boa.conf of the component Boa Webserver. Such manipulation leads to least privilege violation. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
5.5
EPSS Score
0.001
Published
2026-06-08