EIP-2026-114564

PRE-CVE

Zabbix 2.2.x/3.0.x - SQL Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-114564. PoCs published by 1n3.

AI-analyzed exploit summary The document describes a SQL injection vulnerability in Zabbix 2.2.x and 3.0.x, where the toggle_ids array in latest.php is not properly sanitized. An authenticated attacker (or guest user) can exploit this to gain full database access, potentially leading to privilege escalation or command execution on the underlying system.

Description

Zabbix 2.2.x/3.0.x - SQL Injection

Exploits (1)

exploitdb WRITEUP

by 1n3 · textwebappsphp

https://www.exploit-db.com/exploits/40237

View Code ZIP pw:eip

The document describes a SQL injection vulnerability in Zabbix 2.2.x and 3.0.x, where the toggle_ids array in latest.php is not properly sanitized. An authenticated attacker (or guest user) can exploit this to gain full database access, potentially leading to privilege escalation or command execution on the underlying system.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Zabbix 2.2.x, 3.0.x

No auth needed

Prerequisites: Access to the latest.php page, either as an authenticated user or via guest mode

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026