CVE-2026-23923

Summary

An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.

Affected Software

VendorProductVersion RangeStatus
ZabbixZabbix7.4.0 <= 7.4.6affected

Weaknesses

  • CWE-470: CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References