CVE-2026-23926
7.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Zabbix | Zabbix | 7.0.0 <= 7.0.23 | affected |
| Zabbix | Zabbix | 7.4.0 <= 7.4.7 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Workarounds
Disable the Host navigator widget via Administration -> General -> Modules.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.