wid-sec-w-2026-0857 · Published 2026-03-24 · View on BSI CERT-Bund ↗

Zabbix: Multiple Vulnerabilities

CVSS 8.7 HIGH

Risk Summary

For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information <a href='https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe'>in Zabbix documentation</a>.

CVEs (5)

CVE-2026-23919 CVE-2026-23920 CVE-2026-23921 CVE-2026-23923 CVE-2026-23924

Affected Vendors

Zabbix

Affected Products (20)

Zabbix · Zabbix <7.4.3

Zabbix · Zabbix 7.4.3

Zabbix · Zabbix <7.0.19

Zabbix · Zabbix 7.0.19

Zabbix · Zabbix <7.2.13

Zabbix · Zabbix 7.2.13

Zabbix · Zabbix <6.0.41

Zabbix · Zabbix 6.0.41

Zabbix · Zabbix <7.0.22

Zabbix · Zabbix 7.0.22

Zabbix · Zabbix <7.2.15

Zabbix · Zabbix 7.2.15

Zabbix · Zabbix <7.4.6

Zabbix · Zabbix 7.4.6

Zabbix · Zabbix <7.4.7

Zabbix · Zabbix 7.4.7

Zabbix · Zabbix <7.0.23

Zabbix · Zabbix 7.0.23

Zabbix · Zabbix <6.0.44

Zabbix · Zabbix 6.0.44

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more