JavaScript Injection Vulnerability in Zabbix Widgets by Zabbix
CVE-2026-23928

7.3HIGH

Key Information:

Vendor: Zabbix
Status: Zabbix
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-23928?

A vulnerability exists in the Item history widget of Zabbix 7.0 and the Plain text widget of Zabbix 6.0 that allows for the execution of injected JavaScript code when HTML display is enabled. This can lead to unauthorized actions performed by an attacker if a dashboard containing the vulnerable widgets is accessed by a user. The malicious JavaScript code must originate from a monitored host that is under the attacker's control. The Item history widget was introduced as a replacement for the Plain text widget in Zabbix 7.0.

Affected Version(s)

Zabbix 6.0.0 <= 6.0.44

Zabbix 7.0.0 <= 7.0.23

Zabbix 7.4.0 <= 7.4.7

References

https://support.zabbix.com/browse/ZBX-27760

CVSS V4

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Jan 19, 2026

CVE-2026-23928 Data

JSON