SB2026050645 - Multiple vulnerabilities in Zabbix

Description

This security bulletin contains information about 3 vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2026-23928)

The vulnerability allows a remote user to perform unauthorized actions.

The vulnerability exists due to cross-site scripting in the Item history/Plain text widget when rendering monitored host data with HTML display enabled. A remote privileged user can send a malicious JavaScript payload from a controlled monitored host to perform unauthorized actions.

User interaction is required, and exploitation occurs when a user opens a dashboard containing the affected widget.

2) Input validation error (CVE-ID: CVE-2026-23927)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper input validation in the Agent 2 Oracle plugin when processing the 'service' parameter in TNS connection strings. A remote privileged user can send a specially crafted request to disclose sensitive information.

Exploitation can cause Agent 2 to connect to an attacker-controlled server and leak Oracle database credentials if they are saved in a named session.

3) Cross-site scripting (CVE-ID: CVE-2026-23926)

The vulnerability allows a remote user to perform unauthorized actions.

The vulnerability exists due to cross-site scripting in the Host navigator widget maintenance tooltip when rendering a maintenance period tooltip. A remote privileged user can create a maintenance period with a malicious JavaScript payload to perform unauthorized actions.

User interaction is required to open the tooltip for the crafted maintenance period in the Host navigator widget.

Remediation

Install update from vendor's website.

References

• https://support.zabbix.com/browse/ZBX-27760
• https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
• https://support.zabbix.com/browse/ZBX-27759
• https://support.zabbix.com/browse/ZBX-27758