CVE-2026-23928
Awaiting Analysis Awaiting Analysis - Queue
Stored XSS in Zabbix Dashboard Widgets via Monitored Host

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: Zabbix

Description
The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would have to come from a monitored host controlled by the attacker. Note: the Item history widget is a replacement for the Plain text widget since Zabbix 7.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23928
EUVD
EUVD-2026-27530
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zabbix item_history_widget From 7.0 (inc)
zabbix plain_text_widget to 6.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Item history widget (in Zabbix 7.0 and later) and the Plain text widget (in Zabbix 6.0). When HTML display is enabled, these widgets can execute injected JavaScript code.

An attacker who controls a monitored host can inject malicious JavaScript into these widgets. When a user opens a dashboard containing the affected widget, the injected JavaScript runs with that user's permissions.

This means the attacker can perform unauthorized actions depending on the privileges of the user viewing the dashboard.

Impact Analysis

The impact of this vulnerability is that an attacker can execute unauthorized actions within the Zabbix dashboard environment by injecting malicious JavaScript.

Since the malicious code runs with the permissions of the user who opens the dashboard, the attacker could potentially perform actions that the user is authorized to do, leading to unauthorized access or manipulation of data.

Mitigation Strategies

To mitigate this vulnerability, you should disable the HTML display feature in the Item history widget (Zabbix 7.0+) or the Plain text widget (Zabbix 6.0) to prevent execution of injected JavaScript.

Additionally, ensure that monitored hosts are trusted and not controlled by attackers, as the malicious JavaScript must originate from a monitored host.

Consider updating to the latest version of Zabbix where possible, and review user permissions to limit exposure to potentially malicious dashboards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23928. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart