-
Type:
Defect (Security)
-
Resolution: Fixed
-
Priority:
Major
-
None
-
Affects Version/s: None
-
Component/s: Frontend (F)
-
None
| CVE ID | CVE-2026-23928 |
| CVSS score | 7.3 (High) |
| CVSS vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| Affected components | Frontend |
| Summary | Stored XSS vulnerability in the Item history/Plain text widget |
| Description | The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would have to come from a monitored host controlled by the attacker. Note: the Item history widget is a replacement for the Plain text widget since Zabbix 7.0. |
| Known attack vectors | An attacker controlled monitored host can send in malicious JavaScript payload that is then executed by the Item history/Plain text widget. |
| Affected and fix version/s | Affected: 6.0.0 - 6.0.44 → Fixed: 6.0.45 Affected: 7.0.0 - 7.0.23 → Fixed: 7.0.24 Affected: 7.4.0 - 7.4.7 → Fixed: 7.4.8 |
| Mitigation | Update the affected components to their respective fixed versions. |
| Workarounds | Do not use HTML display in Item history/Plain text widget or disable this widget entirely in Administration -> General -> Modules (Zabbix 7.0+). |