| CVE ID |
CVE-2026-23923 |
| CVSS score |
6.9 (Medium) |
| CVSS vector |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
| Affected components |
Frontend |
| Summary |
Unauthenticated arbitrary PHP class instantiation |
| Description |
An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time. |
| Known attack vectors |
The action can be invoked by any user able to reach Frontend. |
| Affected and fix version/s |
Affected: 7.4.0 - 7.4.6 → Fixed: 7.4.7 |
| Mitigation |
Update the affected components to their respective fixed versions. |
| Workarounds |
- |
| Acknowledgements |
Zabbix wants to thank pitticus for submitting this report on the HackerOne bug bounty platform. |
Defect (Security)
Major