Zabbix Frontend Authenticated XSS via Maintenance Tooltip
CVE-2026-23926 Published on May 6, 2026
Stored XSS vulnerability in Host navigator widget maintenance tooltip
An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-23926 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-23926
Want to know whenever a new CVE is published for Zabbix? stack.watch will email you.
Affected Versions
Zabbix:- Version 7.0.0, <= 7.0.23 is affected.
- Version 7.4.0, <= 7.4.7 is affected.