Skip to main content

Suse EUVDEUVD-2026-14952

| CVE-2026-23920 HIGH
OS Command Injection (CWE-78)
2026-03-24 Zabbix
7.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 09, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 19:00 euvd
EUVD-2026-14952
Analysis Generated
Mar 24, 2026 - 19:00 vuln.today
CVE Published
Mar 24, 2026 - 18:27 nvd
HIGH 7.7

DescriptionCVE.org

Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.

AnalysisAI

Authenticated users can bypass regex-based input validation in command injection action scripts by injecting newline characters that exploit multiline mode anchors, allowing shell command execution. This vulnerability affects systems using administrator-configured validation patterns with ^ and $ anchors, enabling authenticated attackers to achieve arbitrary command execution. No patch is currently available.

Technical ContextAI

Zabbix implements input validation for host and event action scripts using administrator-configurable regular expressions. The vulnerability stems from a common regex anchoring flaw (CWE-78: Improper Neutralization of Special Elements used in an OS Command) where the regex engine operates in multiline mode. In multiline mode, the ^ anchor matches at the start of any line and $ matches at the end of any line, not just the string boundaries. An authenticated attacker can inject a newline character followed by malicious shell commands, causing the regex to match the first line (which may pass validation) while the injected payload on subsequent lines executes without validation. This is a classic example of insufficient input sanitization combined with regex mode misconfiguration. The affected product is Zabbix (CPE: cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*), where the script execution engine processes these unsanitized inputs directly as shell commands.

RemediationAI

Apply the security patch provided by Zabbix for vulnerability ZBX-27639 immediately, as this is a post-authentication remote code execution vulnerability affecting critical monitoring infrastructure. Consult https://support.zabbix.com/browse/ZBX-27639 for the specific patched version applicable to your deployment. As an interim mitigation while patches are being prepared or deployed, restrict administrative access to Zabbix with strong multi-factor authentication, audit all existing action scripts for suspicious content, disable or restrict host and event action script execution to only trusted scripts, and implement network segmentation to limit the blast radius if script execution is compromised. Consider deploying Zabbix in a containerized environment with restrictive AppArmor or SELinux policies to limit shell command capabilities.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Server 12 SP5 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security Fixed
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Fixed
SUSE Linux Enterprise Server 12 SP3-BCL Fixed

Share

EUVD-2026-14952 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy