Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip.
AnalysisAI
Stored Cross-Site Scripting (XSS) in Zabbix 7.0.x and 7.4.x allows authenticated administrators with non-super privileges to inject JavaScript payloads into maintenance period configurations. The malicious code executes when any user, including super admins, hovers over the affected maintenance period in the Host navigator widget tooltip, enabling session hijacking, credential theft, or unauthorized administrative actions with the victim's elevated privileges. Attack complexity is low and requires only user interaction (hovering), though exploit execution depends on victim access patterns. No public exploit code or active exploitation confirmed at time of analysis.
Technical ContextAI
This is a stored XSS vulnerability (CWE-79) in Zabbix's maintenance period management functionality. Zabbix is an enterprise-class open-source monitoring platform. The vulnerability exists in versions 7.0.0 through 7.0.23 and 7.4.0 through 7.4.7 per EUVD data. The flaw stems from insufficient input validation and output encoding when processing maintenance period names or descriptions displayed in the Host navigator widget tooltips. When an authenticated non-super administrator creates or edits a maintenance period, malicious JavaScript can be injected into fields that are later rendered unsanitized in the tooltip pop-up. The payload persists in the database (stored XSS) and executes in the security context of any user viewing the tooltip, including users with higher privileges than the attacker. This represents a privilege escalation vector where lower-privileged administrators can compromise super administrator accounts through social engineering combined with normal monitoring workflow actions.
RemediationAI
Upgrade to Zabbix versions beyond the affected ranges as indicated in vendor advisory ZBX-27758 (https://support.zabbix.com/browse/ZBX-27758). Based on affected version ranges, patched releases are likely 7.0.24+ and 7.4.8+, though exact fix versions should be confirmed directly from the vendor advisory before deployment. Until patching is complete, implement these compensating controls: restrict maintenance period creation/modification permissions to only highly trusted super administrators through role-based access control configuration in Administration → User roles, eliminating non-super admin write access to maintenance configurations (trade-off: reduces operational flexibility for delegated monitoring teams). Deploy Content Security Policy headers to block inline JavaScript execution in the Zabbix frontend (trade-off: may interfere with legitimate Zabbix UI functionality and requires testing). Audit existing maintenance period configurations for suspicious JavaScript patterns in names and descriptions using database queries against the maintenances table. Monitor web application firewall logs for script injection attempts targeting maintenance period forms. Educate administrative users to avoid hovering over maintenance tooltips from untrusted administrators and to report anomalous tooltip content immediately. These workarounds reduce but do not eliminate risk and should be considered temporary measures pending patch application.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP3-BCL | Fixed |
| SUSE Linux Enterprise Server 12 SP3-ESPOS | Fixed |
| SUSE Linux Enterprise Server 12 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server 12 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise Server 12 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE OpenStack Cloud 8 | Fixed |
| SUSE OpenStack Cloud 9 | Fixed |
| SUSE OpenStack Cloud Crowbar 8 | Fixed |
| SUSE OpenStack Cloud Crowbar 9 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27527
GHSA-v7c2-5wfc-rfff