CVE-2026-23926

Summary

An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip.

Affected Software

VendorProductVersion RangeStatus
ZabbixZabbix7.0.0 <= 7.0.23affected
ZabbixZabbix7.4.0 <= 7.4.7affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Workarounds

Disable the Host navigator widget via Administration -> General -> Modules.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References