CVE-2026-23923
PHP Object Injection via Unauthenticated Frontend Validate Action in Zabbix
Publication date: 2026-03-24
Last updated on: 2026-03-24
Assigner: Zabbix
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zabbix | zabbix | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-470 | The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability allows an unauthenticated attacker to exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes.
The exact impact depends on the environment setup but currently appears to be limited.
How can this vulnerability impact me? :
The impact of this vulnerability depends on the environment setup.
Since it allows arbitrary PHP class instantiation without authentication, it could potentially lead to unexpected behavior or exploitation depending on the specific environment, but the impact is currently considered limited.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know