CVE-2026-23928

Published: May 6, 2026

Modified: May 6, 2026

PUBLISHED

Description

The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would have to come from a monitored host controlled by the attacker. Note: the Item history widget is a replacement for the Plain text widget since Zabbix 7.0.

Vendor	Product	Versions
Zabbix	Zabbix	affected `6.0.0 - <= 6.0.44` affected `7.0.0 - <= 7.0.23` affected `7.4.0 - <= 7.4.7`

Weaknesses (CWE)

CWE-79

References

https://support.zabbix.com/browse/ZBX-27760

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-23928

Description

Affected Products

Weaknesses (CWE)

References