PT-2026-27473 · Zabbix+1 · Zabbix+1
Big_John
·
Published
2026-03-24
·
Updated
2026-04-17
·
CVE-2026-23919
CVSS v4.0
7.1
High
| Vector | AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Zabbix versions prior to 7.4
Description
A design flaw in Zabbix Server/Proxy related to JavaScript (Duktape) context reuse can result in data leakage. Specifically, a regular Zabbix administrator may unintentionally expose data for hosts they are not authorized to access. The issue stems from the way JavaScript contexts are handled during script item processing, JavaScript reprocessing, and Webhooks. A fix has been implemented to make built-in Zabbix JavaScript objects read-only, but the use of global JavaScript variables is discouraged as their content could still be exposed.
Recommendations
Update to Zabbix version 7.4 or later.
Avoid using global JavaScript variables.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Red Os
Zabbix