CVE-2025-49643
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-12-01
Last updated on: 2026-02-06
Assigner: Zabbix
Description
Description
An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of service.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zabbix | frontend | From 7.4.0 (inc) to 7.4.3 (inc) |
| zabbix | zabbix | 4.0 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-405 | The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability allows any authenticated Zabbix user, including the Guest user, to send specially crafted parameters to the /imgstore.php endpoint. Doing so causes a disproportionate CPU load on the webserver, which can lead to a denial of service condition.
How can this vulnerability impact me? :
The vulnerability can impact you by causing the webserver hosting Zabbix to experience high CPU usage, potentially making the service unavailable or significantly degraded. This denial of service can disrupt monitoring and management functions provided by Zabbix.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70