Description
Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.
Published: 2026-03-24
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection
Action: Immediate Patch
AI Analysis

Impact

Zabbix host and event action scripts are filtered by a user‑defined regular expression but the pattern is evaluated in multiline mode. An attacker who can set a script can insert a newline, causing the ^ and $ anchors to apply only to the first line and allowing crafted input to bypass validation. The result is that arbitrary shell commands are executed with the privileges of the Zabbix server, posing a risk of data theft, system compromise, or denial of service. The weakness is a classic command injection flaw (CWE‑78).

Affected Systems

The vulnerability affects Zabbix products. Specific component names and version ranges are not listed in the advisory, so all installations that allow host or event scripts configured with a regex validator are potentially exposed until a patch is applied.

Risk and Exploitability

The CVSS score is 7.7, indicating high severity. No EPSS score is available, and the issue is not included in CISA's KEV catalog. Exploitation requires an authenticated user with permission to configure host or event scripts, so the attack vector is internal rather than remote. Because the vulnerability is not publicly exposed for arbitrary users, the likelihood of wide‑scale exploitation is lower, but the impact remains significant for compromised accounts.

Generated by OpenCVE AI on March 24, 2026 at 20:26 UTC.

Remediation

Vendor Solution

Update the affected components to their respective fixed versions.

Vendor Workaround

It is possible to use \A and \z anchors in the regex validation as a workaround.

OpenCVE Recommended Actions

  • Update all Zabbix components to the fixed versions disclosed by the vendor
  • If immediate patching is not possible, modify the script validation regex to use \A and \z anchors instead of ^ and $
  • Limit the permissions of users who can configure host or event action scripts to reduce the attack surface
  • After applying a patch or workaround, verify that the regex validation now rejects inputs containing newlines

Generated by OpenCVE AI on March 24, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Zabbix
Zabbix zabbix
Vendors & Products Zabbix
Zabbix zabbix

Tue, 24 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.
Title Host and event action script regex validation can be bypassed in certain situations, leading to potential command injection
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Zabbix Zabbix
cve-icon MITRE

Status: PUBLISHED

Assigner: Zabbix

Published:

Updated: 2026-03-26T03:55:29.372Z

Reserved: 2026-01-19T14:02:54.327Z

Link: CVE-2026-23920

cve-icon Vulnrichment

Updated: 2026-03-25T19:24:08.184Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-24T19:16:49.557

Modified: 2026-03-25T15:41:58.280

Link: CVE-2026-23920

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:49:22Z

Weaknesses