Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.
AnalysisAI
Authenticated users can bypass regex-based input validation in command injection action scripts by injecting newline characters that exploit multiline mode anchors, allowing shell command execution. This vulnerability affects systems using administrator-configured validation patterns with ^ and $ anchors, enabling authenticated attackers to achieve arbitrary command execution. No patch is currently available.
Technical ContextAI
Zabbix implements input validation for host and event action scripts using administrator-configurable regular expressions. The vulnerability stems from a common regex anchoring flaw (CWE-78: Improper Neutralization of Special Elements used in an OS Command) where the regex engine operates in multiline mode. In multiline mode, the ^ anchor matches at the start of any line and $ matches at the end of any line, not just the string boundaries. An authenticated attacker can inject a newline character followed by malicious shell commands, causing the regex to match the first line (which may pass validation) while the injected payload on subsequent lines executes without validation. This is a classic example of insufficient input sanitization combined with regex mode misconfiguration. The affected product is Zabbix (CPE: cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*), where the script execution engine processes these unsanitized inputs directly as shell commands.
RemediationAI
Apply the security patch provided by Zabbix for vulnerability ZBX-27639 immediately, as this is a post-authentication remote code execution vulnerability affecting critical monitoring infrastructure. Consult https://support.zabbix.com/browse/ZBX-27639 for the specific patched version applicable to your deployment. As an interim mitigation while patches are being prepared or deployed, restrict administrative access to Zabbix with strong multi-factor authentication, audit all existing action scripts for suspicious content, disable or restrict host and event action script execution to only trusted scripts, and implement network segmentation to limit the blast radius if script execution is compromised. Consider deploying Zabbix in a containerized environment with restrictive AppArmor or SELinux policies to limit shell command capabilities.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP3-BCL | Fixed |
| SUSE Linux Enterprise Server 12 SP3-ESPOS | Fixed |
| SUSE Linux Enterprise Server 12 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server 12 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise Server 12 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE OpenStack Cloud 8 | Fixed |
| SUSE OpenStack Cloud 9 | Fixed |
| SUSE OpenStack Cloud Crowbar 8 | Fixed |
| SUSE OpenStack Cloud Crowbar 9 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14952