CVE-2026-23928
Stored XSS in Zabbix Dashboard Widgets via Monitored Host
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: Zabbix
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zabbix | item_history_widget | From 7.0 (inc) |
| zabbix | plain_text_widget | to 6.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Item history widget (in Zabbix 7.0 and later) and the Plain text widget (in Zabbix 6.0). When HTML display is enabled, these widgets can execute injected JavaScript code.
An attacker who controls a monitored host can inject malicious JavaScript into these widgets. When a user opens a dashboard containing the affected widget, the injected JavaScript runs with that user's permissions.
This means the attacker can perform unauthorized actions depending on the privileges of the user viewing the dashboard.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker can execute unauthorized actions within the Zabbix dashboard environment by injecting malicious JavaScript.
Since the malicious code runs with the permissions of the user who opens the dashboard, the attacker could potentially perform actions that the user is authorized to do, leading to unauthorized access or manipulation of data.