-
Type:
Defect (Security)
-
Resolution: Fixed
-
Priority:
Major
-
None
-
Affects Version/s: None
-
Component/s: Proxy (P), Server (S)
-
None
| CVE ID | CVE-2026-23920 |
| CVSS score | 7.7 (High) |
| CVSS vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| Affected components | Server, Proxy |
| Summary | Host and event action script regex validation can be bypassed in certain situations, leading to potential command injection |
| Description | Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands. |
| Known attack vectors | Authenticated users with script execution permissions can bypass ^ and $ regex validation by injecting a newline character. |
| Affected and fix version/s | Affected: 7.0.0 - 7.0.21 → Fixed: 7.0.22 Affected: 7.2.0 - 7.2.14 → Fixed: 7.2.15 Affected: 7.4.0 - 7.4.5 → Fixed: 7.4.6 |
| Mitigation | Update the affected components to their respective fixed versions. |
| Workarounds | It is possible to use \A and \z anchors in the regex validation as a workaround. |
| Acknowledgements | Zabbix wants to thank YoKo Kho (@YoKoAcc) from PT ITSEC Asia, Tbk for submitting this report on the HackerOne bug bounty platform. |