PT-2026-27475 · Zabbix+1 · Zabbix+1

·

CVE-2026-23921

·

Published

2026-03-24

·

Updated

2026-04-17

CVSS v2.0

9.0

High

VectorAV:N/AC:L/Au:S/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Zabbix versions prior to 7.4.6
Description A Zabbix user with API access can exploit a blind SQL injection in the CApiService.php file. The issue resides in the sortfield parameter, allowing an attacker to execute arbitrary SQL selects. While query results are not directly returned, data can be exfiltrated using time-based techniques. This could lead to the disclosure of session identifiers and compromise of administrator accounts. The vulnerable component is located at the API endpoint include/classes/api/CApiService.php. The vulnerable parameter is sortfield.
Recommendations Update to Zabbix version 7.4.6 or later.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-07355
CVE-2026-23921

Affected Products

Red Os
Zabbix