PT-2026-37346 · Zabbix · Zabbix
Janis Nulle
·
Published
2026-05-06
·
Updated
2026-05-06
·
CVE-2026-23928
CVSS v4.0
7.3
High
| Vector | AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Zabbix versions 6.0 through 7.x
Description
The Item history widget and the Plain text widget allow the execution of injected JavaScript when HTML display is enabled. This occurs when malicious JavaScript is sent from a monitored host controlled by an attacker. If a user opens a dashboard containing these widgets, the script executes, potentially allowing the attacker to perform unauthorized actions. The Item history widget replaced the Plain text widget starting with version 7.0.
Recommendations
Disable HTML display in the Item history and Plain text widgets to prevent the execution of injected scripts.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zabbix