Bug 2466965 (CVE-2026-23928)

Summary: CVE-2026-23928 Zabbix: Zabbix: Cross-Site Scripting (XSS) vulnerability allows unauthorized actions via injected JavaScript in widgets.
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Zabbix. The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This Cross-Site Scripting (XSS) vulnerability allows an attacker, who controls a monitored host, to inject malicious JavaScript. When a user opens a dashboard containing these widgets, the attacker can perform unauthorized actions within the context of that user's session.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2467039, 2467040, 2467041, 2467042    
Bug Blocks:    

Description OSIDB Bzimport 2026-05-06 08:01:21 UTC 
The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would have to come from a monitored host controlled by the attacker. Note: the Item history widget is a replacement for the Plain text widget since Zabbix 7.0.