JavaScript Injection Vulnerability in Zabbix Affected by Non-Super Administrator Actions
CVE-2026-23926

7.3HIGH

Key Information:

Vendor: Zabbix
Status: Zabbix
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-23926?

An authenticated (non-super) administrator in Zabbix can inadvertently create a maintenance period containing malicious JavaScript payloads. This can execute unauthorized actions when any user interacts with the tooltip in the Host navigator widget. The implications include potential unauthorized access and actions taken by users who view the affected tooltip. Organizations using Zabbix must assess their configurations to mitigate risks associated with this vulnerability.

Affected Version(s)

Zabbix 7.0.0 <= 7.0.23

Zabbix 7.4.0 <= 7.4.7

References

https://support.zabbix.com/browse/ZBX-27758

CVSS V4

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Jan 19, 2026

Credit

Zabbix wants to thank Daniel Santos (@bananabr) for submitting this report on the HackerOne bug bounty platform.

CVE-2026-23926 Data

JSON