CVE-2026-23920

HIGH

Zabbix 7.x Script Validation - Authenticated Command Injection

Title source: manual

Description

Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.

References (1)

Core 1

Core References

https://support.zabbix.com/browse/ZBX-27639

Scores

CVSS v4 7.7

EPSS 0.0025

EPSS Percentile 15.9%

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (3)

Zabbix/Zabbix 7.0.0 - 7.0.21

Zabbix/Zabbix 7.2.0 - 7.2.14

Zabbix/Zabbix 7.4.0 - 7.4.5

Published Mar 24, 2026

Tracked Since Mar 25, 2026