HIGHCVE-2026-23920Published Modified CNA Zabbix
CVE-2026-23920: Host and event action script regex validation can be bypassed in certain situations, leading to potential command injection
Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.
Metrics
- CVSS v4.0
- 7.7
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
Affected packages
- Zabbix / Zabbix≤ 7.0.21 · ≤ 7.2.14 · ≤ 7.4.5
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences