| CVE ID |
CVE-2026-23920 |
| CVSS score |
7.7 (High) |
| CVSS vector |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| Affected components |
Server, Proxy |
| Summary |
Host and event action script regex validation can be bypassed in certain situations, leading to potential command injection |
| Description |
Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands. |
| Known attack vectors |
Authenticated users with script execution permissions can bypass ^ and $ regex validation by injecting a newline character. |
| Affected and fix version/s |
Affected: 7.0.0 - 7.0.21 → Fixed: 7.0.22
Affected: 7.2.0 - 7.2.14 → Fixed: 7.2.15
Affected: 7.4.0 - 7.4.5 → Fixed: 7.4.6 |
| Mitigation |
Update the affected components to their respective fixed versions. |
| Workarounds |
It is possible to use \A and \z anchors in the regex validation as a workaround. |
| Acknowledgements |
Zabbix wants to thank YoKo Kho (@YoKoAcc) from PT ITSEC Asia, Tbk for submitting this report on the HackerOne bug bounty platform. |