Skip to main content

Zabbix CVE-2026-23926

| EUVDEUVD-2026-27527 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-06 Zabbix GHSA-v7c2-5wfc-rfff
7.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 06, 2026 - 10:00 vuln.today
CVSS changed
May 06, 2026 - 08:22 NVD
7.3 (HIGH)

DescriptionCVE.org

An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip.

AnalysisAI

Stored Cross-Site Scripting (XSS) in Zabbix 7.0.x and 7.4.x allows authenticated administrators with non-super privileges to inject JavaScript payloads into maintenance period configurations. The malicious code executes when any user, including super admins, hovers over the affected maintenance period in the Host navigator widget tooltip, enabling session hijacking, credential theft, or unauthorized administrative actions with the victim's elevated privileges. Attack complexity is low and requires only user interaction (hovering), though exploit execution depends on victim access patterns. No public exploit code or active exploitation confirmed at time of analysis.

Technical ContextAI

This is a stored XSS vulnerability (CWE-79) in Zabbix's maintenance period management functionality. Zabbix is an enterprise-class open-source monitoring platform. The vulnerability exists in versions 7.0.0 through 7.0.23 and 7.4.0 through 7.4.7 per EUVD data. The flaw stems from insufficient input validation and output encoding when processing maintenance period names or descriptions displayed in the Host navigator widget tooltips. When an authenticated non-super administrator creates or edits a maintenance period, malicious JavaScript can be injected into fields that are later rendered unsanitized in the tooltip pop-up. The payload persists in the database (stored XSS) and executes in the security context of any user viewing the tooltip, including users with higher privileges than the attacker. This represents a privilege escalation vector where lower-privileged administrators can compromise super administrator accounts through social engineering combined with normal monitoring workflow actions.

RemediationAI

Upgrade to Zabbix versions beyond the affected ranges as indicated in vendor advisory ZBX-27758 (https://support.zabbix.com/browse/ZBX-27758). Based on affected version ranges, patched releases are likely 7.0.24+ and 7.4.8+, though exact fix versions should be confirmed directly from the vendor advisory before deployment. Until patching is complete, implement these compensating controls: restrict maintenance period creation/modification permissions to only highly trusted super administrators through role-based access control configuration in Administration → User roles, eliminating non-super admin write access to maintenance configurations (trade-off: reduces operational flexibility for delegated monitoring teams). Deploy Content Security Policy headers to block inline JavaScript execution in the Zabbix frontend (trade-off: may interfere with legitimate Zabbix UI functionality and requires testing). Audit existing maintenance period configurations for suspicious JavaScript patterns in names and descriptions using database queries against the maintenances table. Monitor web application firewall logs for script injection attempts targeting maintenance period forms. Educate administrative users to avoid hovering over maintenance tooltips from untrusted administrators and to report anomalous tooltip content immediately. These workarounds reduce but do not eliminate risk and should be considered temporary measures pending patch application.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 12 SP5 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security Fixed
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Fixed
SUSE Linux Enterprise Server 12 SP3-BCL Fixed

Share

CVE-2026-23926 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy