Zabbix

Known Exploited Zabbix Vulnerabilities

The following Zabbix vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 6 vulnerabilities in Zabbix. Last year, in 2025 Zabbix had 16 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Zabbix in 2026 could surpass last years number.

Recent Zabbix Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-23924	Mar 24, 2026	Zabbix Agent 2 Docker Plugin Improper Sanitization Enables Arbitrary File Read Zabbix Agent 2 Docker plugin does not properly sanitize the 'docker.container_info' parameters when forwarding them to the Docker daemon. An attacker capable of invoking Agent 2 can read arbitrary files from running Docker containers by injecting them via the Docker archive API.	Zabbix
CVE-2026-23923	Mar 24, 2026	Zabbix Frontend Arbitrary Class Instantiation via 'validate' Action An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.	Zabbix
CVE-2026-23921	Mar 24, 2026	Zabbix API blind SQLi via sortfield in CApiService.php A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.	Zabbix
CVE-2026-23920	Mar 24, 2026	Zabbix Script Regex Injection via Multiline Mode Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.	Zabbix
CVE-2026-23919	Mar 24, 2026	Zabbix 7.4 Duktape Context Reuse Exposes Data For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information <a href='https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe'>in Zabbix documentation</a>.	Zabbix
CVE-2026-23925	Mar 06, 2026	Zabbix Authenticated API import privilege escalation An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions.	Zabbix
CVE-2025-49643	Dec 01, 2025	Zabbix Auth User Can Trigger CPU DoS via imgstore.php An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of service.	Zabbix
CVE-2025-49642	Dec 01, 2025	Local User Hijack of Zabbix Agent Library Loading on AIX Library loading on AIX Zabbix Agent builds can be hijacked by local users with write access to the /home/cecuser directory.	Zabbix
CVE-2025-27232	Dec 01, 2025	Zabbix AuthSupAdmin OAuth Auth Reads Files (CVE-2025-27232) An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss.	Zabbix
CVE-2025-49641	Oct 03, 2025	Zabbix: Unprivileged User Can Retrieve Active Problem List A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems.	Zabbix
CVE-2025-27237	Oct 03, 2025	Zabbix Agent/2 LPE via Writable OpenSSL Config on Windows In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation by injecting a DLL.	Zabbix
CVE-2025-27236	Oct 03, 2025	Zabbix API DataMining via Unauthorized Select Fields A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to.	Zabbix
CVE-2025-27231	Oct 03, 2025	Okta LDAP Bind PWD Leak via Host Change The LDAP 'Bind password' value cannot be read after saving, but a Super Admin account can leak it by changing LDAP 'Host' to a rogue LDAP server. To mitigate this, the 'Bind password' value is now reset on 'Host' change.	Zabbix
CVE-2025-27240	Sep 12, 2025	SQLi in Zabbix Host Autoremoval via Visible Name Field A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field.	Zabbix
CVE-2025-27238	Sep 12, 2025	Zabbix API hostprototype.get Host Proto Leak to Unprivileged Users Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user groups assigned to them.	Zabbix
CVE-2025-27233	Sep 12, 2025	Zabbix Agent 2 smtctl Plugin: Param Injection Leaks NTLMv2 Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. This can be used to leak the NTLMv2 hash from a Windows system.	Zabbix Zabbix Agent2
CVE-2025-27234	Sep 12, 2025	Zabbix Agent 2 smartctl RCE via unsanitized smart.disk.get (<=5.0) Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. In Zabbix 5.0 this allows for remote code execution.	Zabbix
CVE-2024-36469	Apr 02, 2025	Login Timing Attack: Different Response for Non-Existing User Execution time for an unsuccessful login differs when using a non-existing username compared to using an existing one.	Zabbix
CVE-2024-45700	Apr 02, 2025	Uncontrolled Resource Exhaustion in Zabbix Server Enables DoS Zabbix server is vulnerable to a DoS vulnerability due to uncontrolled resource exhaustion. An attacker can send specially crafted requests to the server, which will cause the server to allocate an excessive amount of memory and perform CPU-intensive decompression operations, ultimately leading to a service crash.	Zabbix
CVE-2024-45699	Apr 02, 2025	Zabbix XSS in /zabbix.php?action=export.valuemaps via backurl The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross-Site Scripting vulnerability via the backurl parameter. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim's browser.	Zabbix
CVE-2024-42325	Apr 02, 2025	Zabbix API user.get Exposes Sensitive User Data Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc.	Zabbix
CVE-2024-36465	Apr 02, 2025	Zabbix API SQLi via groupBy in CApiService.php A low privilege (regular) Zabbix user with API access can use SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL commands via the groupBy parameter.	Zabbix
CVE-2024-36464	Nov 27, 2024	Plaintext Password Export via YAML in Media Types When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords.	Zabbix
CVE-2024-42327	Nov 27, 2024	Zabbix PHP API SQLi in CUser::addRelatedObjects via get() A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.	Zabbix
CVE-2024-42330	Nov 27, 2024	HttpRequest Header Encoding Flaw Enables Prototype Pollution in Edge JS The HttpRequest object allows to get the HTTP headers from the server's response after sending the request. The problem is that the returned strings are created directly from the data returned by the server and are not correctly encoded for JavaScript. This allows to create internal strings that can be used to access hidden properties of objects.	Frontend
CVE-2024-42333	Nov 27, 2024	Zabbix Server Out-of-Bounds Read Memory Leak Vulnerability in Email Module The researcher is showing that it is possible to leak a small amount of Zabbix Server memory using an out of bounds read in src/libs/zbxmedia/email.c	Zabbix
CVE-2024-42332	Nov 27, 2024	Zabbix SNMP Trap Log Parsing Vulnerability The researcher is showing that due to the way the SNMP trap log is parsed, an attacker can craft an SNMP trap with additional lines of information and have forged data show in the Zabbix UI. This attack requires SNMP auth to be off and/or the attacker to know the community/auth details. The attack requires an SNMP item to be configured as text on the target host.	Zabbix
CVE-2024-42331	Nov 27, 2024	Zabbix: Use-After-Free Vulnerability in Duktape JavaScript Engine Integration In the src/libs/zbxembed/browser.c file, the es_browser_ctor method retrieves a heap pointer from the Duktape JavaScript engine. This heap pointer is subsequently utilized by the browser_push_error method in the src/libs/zbxembed/browser_error.c file. A use-after-free bug can occur at this stage if the wd->browser heap pointer is freed by garbage collection.	Zabbix
CVE-2024-36467	Nov 27, 2024	Zabbix API Privilege Escalation Vulnerability in User Management An authenticated user with API access (e.g.: user with default User role), more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group (e.g.: Zabbix Administrators), except to groups that are disabled or having restricted GUI access.	Zabbix
CVE-2024-36461	Aug 12, 2024	Zabbix JS Engine Pointer Modification Vulnerability Within Zabbix, users have the ability to directly modify memory pointers in the JavaScript engine.	Zabbix
CVE-2024-22116	Aug 12, 2024	Remote Code Execution via Script Params in Monitoring Hosts (Ping script) An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure.	Zabbix
CVE-2024-22114	Aug 12, 2024	ServiceNow: Unprivileged Host Stats Disclosure via SysInfo Widget User with no permission to any of the Hosts can access and view host count & other statistics through System Information Widget in Global View Dashboard.	Zabbix
CVE-2024-36462	Aug 12, 2024	Uncontrolled Resource Consumption (DoS) CVE-2024-36462 Uncontrolled resource consumption refers to a software vulnerability where a attacker or system uses excessive resources, such as CPU, memory, or network bandwidth, without proper limitations or controls. This can cause a denial-of-service (DoS) attack or degrade the performance of the affected system.	Zabbix
CVE-2024-36460	Aug 12, 2024	Frontend Audit Log Exposure of Plaintext Passwords in Unknown Application The front-end audit log allows viewing of unprotected plaintext passwords, where the passwords are displayed in plain text.	Zabbix
CVE-2024-22123	Aug 12, 2024	Zabbix Server SMS Media Misconfig Lets Log File Corrupt & Leak via AT Commands Setting SMS media allows to set GSM modem file. Later this file is used as Linux device. But due everything is a file for Linux, it is possible to set another file, e.g. log file and zabbix_server will try to communicate with it as modem. As a result, log file will be broken with AT commands and small part for log file content will be leaked to UI.	Zabbix
CVE-2024-22121	Aug 12, 2024	Zabbix Agent: Non-Admin Feature Tampering A non-admin user can change or remove important features within the Zabbix Agent application, thus impacting the integrity and availability of the application.	Zabbix
CVE-2024-22122	Aug 12, 2024	Zabbix Server AT Command Injection via Unvalidated SMS Number Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.	Zabbix
CVE-2024-22120	May 17, 2024	Zabbix Exec + Blind SQLi via clientip Injection Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.	Zabbix
CVE-2024-22119	Feb 09, 2024	Unvalidated Name Field on Graph Page Leads to Injection in Items Section The cause of vulnerability is improper validation of form input field Name on Graph page in Items section.	Zabbix
CVE-2023-32726	Dec 18, 2023	Microsoft DNS RDLENGTH Buffer Overflow The vulnerability is caused by improper check for check if RDLENGTH does not overflow the buffer in response from DNS server.	Zabbix Agent Zabbix
CVE-2023-32725	Dec 18, 2023	Session cookie leakage via URL widget in scheduled reports The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user.	Zabbix Server Frontend
CVE-2023-32727	Dec 18, 2023	Zabbix RCE via icmpping() in Config Items An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server.	Zabbix Server Zabbix
CVE-2023-32728	Dec 18, 2023	Zabbix Agent 2 smart.disk.get RCE via unsanitized shell command The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution.	Zabbix Agent2
CVE-2023-32722	Oct 12, 2023	Zabbix zbxjson Buffer Overflow via zbx_json_open The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow when parsing JSON files via zbx_json_open.	Zabbix
CVE-2023-32723	Oct 12, 2023	LDAP Request Bypass Before Permission Check Request to LDAP is sent before user permissions are checked.	Zabbix
CVE-2023-32724	Oct 12, 2023	Direct Memory Access via Ducktape Property Pointer (CVE-2023-32724) Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation.	Zabbix
CVE-2023-32721	Oct 12, 2023	Zabbix XSS via Maps URL Field with Leading Spaces A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL.	Zabbix
CVE-2023-29453	Oct 12, 2023	Go Templates unescaped backticks pre-1.21JS injection Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g., "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template. Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.	Zabbix Agent2
CVE-2023-30958	Aug 03, 2023	Foundry Frontend DOM XSS before v6.225.0 A security defect was identified in Foundry Frontend that enabled users to potentially conduct DOM XSS attacks if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend 6.225.0.	Frontend
CVE-2023-29457	Jul 13, 2023	Reflected XSS via action form field in web app (CVE-2023-29457) Reflected XSS attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script can be activated through Action form fields, which can be sent as request to a website with a vulnerability that enables execution of malicious scripts.	Frontend Zabbix