The Checkmk security vulnerabilities are a series of multiple identified vulnerabilities in the open-source IT infrastructure monitoring solution, which can be chained together by an unauthenticated, remote attacker to gain code execution on the server running vulnerable versions of Checkmk. These vulnerabilities include Code Injection in watolib's auth.php, Arbitrary File Read in NagVis, Line Feed Injection in ajax_graph_images.py, and Server-Side Request Forgery in agent-receiver. The exploitation chain starts with a Server-Side Request Forgery in the agent-receiver, which can be leveraged by an attacker to access an endpoint only reachable from localhost, followed by a Line Feed Injection vulnerability that allows an attacker to forge arbitrary LQL queries. These vulnerabilities have limited practical impact on their own but can be chained together to achieve remote code execution. The Checkmk team has patched the identified issues in version 2.1.0p12, and it is recommended to update any instance with a version before this release.