JavaScript Context Reuse Vulnerability in Zabbix Server/Proxy
CVE-2026-23919

7.1HIGH

Key Information:

Vendor: Zabbix
Status: Zabbix
Vendor: CVE Published:; 24 March 2026

What is CVE-2026-23919?

The reuse of JavaScript (Duktape) contexts in Zabbix Server/Proxy for performance optimization can lead to a potential confidentiality breach. A non-super Zabbix administrator may inadvertently leak sensitive data pertaining to hosts outside their access rights. A recent fix enforces read-only status for built-in Zabbix JavaScript objects; however, users are cautioned against using global JavaScript variables, as their contents may still be exposed. For further insights, you can refer to the Zabbix documentation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Zabbix 6.0.0 <= 6.0.40

Zabbix 7.0.0 <= 7.0.18

Zabbix 7.2.0 <= 7.2.12

References

https://support.zabbix.com/browse/ZBX-27638

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Jan 19, 2026

Credit

Zabbix wants to thank Yerdan (big_john) for submitting this report on the HackerOne bug bounty platform.

JSON

Zabbix