2466965 – (CVE-2026-23928) CVE-2026-23928 Zabbix: Zabbix: Cross-Site Scripting (XSS) vulnerability allows unauthorized actions via injected JavaScript in widgets.

Bug 2466965 (CVE-2026-23928) - CVE-2026-23928 Zabbix: Zabbix: Cross-Site Scripting (XSS) vulnerability allows unauthorized actions via injected JavaScript in widgets.

Summary: CVE-2026-23928 Zabbix: Zabbix: Cross-Site Scripting (XSS) vulnerability allow...

Keywords:
Status:	NEW
Alias:	CVE-2026-23928
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2467039 2467040 2467041 2467042
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-06 08:01 UTC by OSIDB Bzimport
Modified:	2026-05-06 11:50 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-06 08:01:21 UTC

The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would have to come from a monitored host controlled by the attacker. Note: the Item history widget is a replacement for the Plain text widget since Zabbix 7.0.

Note You need to log in before you can comment on or make changes to this bug.