Main Vulnerability Database Vulnerabilities #VU130255

Cross-site scripting in Zabbix - CVE-2026-23926

Published: May 6, 2026

Vulnerability identifier: #VU130255

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-23926

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Zabbix

Software vendor:
Zabbix

Description

The vulnerability allows a remote user to perform unauthorized actions.

The vulnerability exists due to cross-site scripting in the Host navigator widget maintenance tooltip when rendering a maintenance period tooltip. A remote privileged user can create a maintenance period with a malicious JavaScript payload to perform unauthorized actions.

User interaction is required to open the tooltip for the crafted maintenance period in the Host navigator widget.

Remediation

Install security update from vendor's website.

External links

https://support.zabbix.com/browse/ZBX-27758

Cross-site scripting in Zabbix - CVE-2026-23926

Description

Remediation

External links

Please verify you're human