Severity by source
Sources disagree (Low–High)CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information <a href='https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe'>in Zabbix documentation</a>.
AnalysisAI
Zabbix Server and Proxy reuse JavaScript (Duktape) execution contexts across script items, JavaScript preprocessing, and webhooks for performance optimization, allowing non-super administrators to leak sensitive data about hosts they lack authorization to access through context variable persistence. The vulnerability enables information disclosure attacks where a regular administrator can access confidential monitoring data from restricted hosts by exploiting shared JavaScript execution environments. A patch has been released that makes built-in Zabbix JavaScript objects read-only, though global variable usage remains unsafe even after remediation.
Technical ContextAI
The vulnerability exists in Zabbix Server and Proxy components (CPE: cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*) which utilize the Duktape JavaScript engine for executing script items, JavaScript preprocessing rules, and webhook scripts. To optimize performance, these components reuse Duktape contexts rather than creating isolated environments for each script execution. This design choice allows variables and state from previous script executions to persist in shared contexts, creating a cross-execution data leakage vector. The root cause is classified under CWE-488 (Exposure of Sensitive Data Through Shared Resources), where insufficient isolation mechanisms permit information disclosure through shared computational resources. Non-super administrators with limited host access can craft JavaScript preprocessing rules or script items that read from previously-executed contexts belonging to other administrators' restricted hosts.
RemediationAI
Upgrade Zabbix Server and Proxy to the patched version that implements read-only built-in JavaScript objects as soon as possible, following Zabbix's official release notes and patch availability from https://support.zabbix.com/browse/ZBX-27638. As a workaround prior to patching, administrators should avoid using global JavaScript variables in preprocessing rules and script items, as these remain unsafe even after applying the read-only object fix. Additionally, enforce strict role-based access controls (RBAC) to limit which administrators can create or modify JavaScript preprocessing rules and script items, and audit existing JavaScript code to identify and remediate any use of global state variables that could leak sensitive information across execution contexts.
Same weakness CWE-488 – Exposure of Data Element to Wrong Session
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Low| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP3-BCL | Fixed |
| SUSE Linux Enterprise Server 12 SP3-ESPOS | Fixed |
| SUSE Linux Enterprise Server 12 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server 12 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise Server 12 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE OpenStack Cloud 8 | Fixed |
| SUSE OpenStack Cloud 9 | Fixed |
| SUSE OpenStack Cloud Crowbar 8 | Fixed |
| SUSE OpenStack Cloud Crowbar 9 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14950
GHSA-h55g-ww3m-9hq9