CVE-2026-23928 - Vulnerability Details

- Stored XSS vulnerability in the Item history/Plain text widget

Description

The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would have to come from a monitored host controlled by the attacker. Note: the Item history widget is a replacement for the Plain text widget since Zabbix 7.0.

Published: 2026-05-06

Score: 7.3 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Item history widget in Zabbix 7.0+ and the Plain text widget in Zabbix 6.0 can execute JavaScript that has been injected into the widget’s contents when HTML display is enabled. A malicious script injected from a monitored host that an attacker controls will run in the browser context of any user who views a dashboard containing the widget, allowing that user’s credentials and session to be exploited or arbitrary actions performed. This is a classic cross‑site scripting weakness, classified as CWE‑79.

Affected Systems

Zabbix Zabbix is the affected vendor. The vulnerability applies to Zabbix 7.0 and later through the Item history widget and to Zabbix 6.0 via the Plain text widget. The fix is distributed in later releases noted by the vendor’s support channel.

Risk and Exploitability

The CVSS base score of 7.3 indicates high severity, while the EPSS score is not available but the issue is not currently listed in the CISA KEV catalog. The likely attack vector is injection of malicious JavaScript via a host that feeds data into these widgets; the attacker must control the host data source and a user must open the affected dashboard for the exploitation to succeed. Given the moderate to high severity and lack of an immediate exploit discovered, the risk remains significant for organizations that use these widgets and have exposed interfaces for host data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Zabbix

unknown

Version	Status	Constraints
`6.0.0`	affected	≤ 6.0.44
`7.0.0`	affected	≤ 7.0.23
`7.4.0`	affected	≤ 7.4.7

No data.

Vendor Product Confidence Versions

Zabbix

100%

Version	Status	Scheme	Platform
`[6.0.0,6.0.44]`	affected	semver	—
`[7.0.0,7.0.23]`	affected	semver	—
`[7.4.0,7.4.7]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update the affected components to their respective fixed versions.

Vendor Workaround

Do not use HTML display in Item history/Plain text widget or disable this widget entirely in Administration -> General -> Modules (Zabbix 7.0+).

OpenCVE Recommended Actions

Update Zabbix to the latest fixed versions of the affected components as released by the vendor.
If a patch cannot be applied at once, disable HTML display for the Item history or Plain text widget, or turn off the widget entirely through Administration → General → Modules in Zabbix 7.0+ to prevent script execution.
Audit and restrict monitored host data sources to trusted owners, ensuring that only secure and verified data is fed into these widgets.

Generated by OpenCVE AI on May 6, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://support.zabbix.com/browse/ZBX-27760

History

Wed, 06 May 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zabbix Zabbix zabbix
Vendors & Products		Zabbix Zabbix zabbix

Wed, 06 May 2026 07:30:00 +0000

Type	Values Removed	Values Added
Description		The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would have to come from a monitored host controlled by the attacker. Note: the Item history widget is a replacement for the Plain text widget since Zabbix 7.0.
Title		Stored XSS vulnerability in the Item history/Plain text widget
Weaknesses		CWE-79
References		https://support.zabbix.com/browse/ZBX-27760
Metrics		cvssV4_0 `{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Zabbix Zabbix

MITRE

Status: PUBLISHED

Assigner: Zabbix

Published: 2026-05-06T07:00:33.681Z

Updated: 2026-05-06T07:00:33.681Z

Reserved: 2026-01-19T14:02:54.327Z

Link: CVE-2026-23928

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-06T08:16:03.100

Modified: 2026-05-06T08:16:03.100

Link: CVE-2026-23928

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T09:00:10Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object