CVE-2026-23919— Insufficient isolation of JavaScript (Duktape) execution context on Zabbix Server
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-23919
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Insufficient isolation of JavaScript (Duktape) execution context on Zabbix Server
Source: NVD (National Vulnerability Database)
Vulnerability Description
For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information <a href='https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe'>in Zabbix documentation</a>.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对错误会话暴露数据元素
Source: NVD (National Vulnerability Database)
Vulnerability Title
Zabbix 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Zabbix是Zabbix公司的一套开源的监控系统。该系统支持网络监控、服务器监控、云监控和应用监控等。 Zabbix存在安全漏洞,该漏洞源于JavaScript环境重用不当,可能导致非超级管理员泄露其无权访问的主机数据。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-23919
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-23919
请登录查看更多情报信息。
Same Patch Batch · Zabbix · 2026-03-24 · 5 CVEs total
| CVE-2026-23924 | Agent 2 Docker plugin arbitrary file read via Docker API injection | |
| CVE-2026-23920 | Host and event action script regex validation can be bypassed in certain situations, leadi | |
| CVE-2026-23923 | Unauthenticated arbitrary PHP class instantiation | |
| CVE-2026-23921 | Blind, read-only SQL injection in Zabbix API via sortfield parameter |
IV. Related Vulnerabilities
Same product: Zabbix
- CVE-2026-23928
Stored XSS vulnerability in the Item history/Plain text widg - CVE-2026-23927
Agent 2 Oracle plugin TNS connection string injection via th - CVE-2026-23926
Stored XSS vulnerability in Host navigator widget maintenanc - CVE-2026-23924
Agent 2 Docker plugin arbitrary file read via Docker API inj - CVE-2026-23923
Unauthenticated arbitrary PHP class instantiation
Same vendor: Zabbix
- CVE-2026-23928
Stored XSS vulnerability in the Item history/Plain text widg - CVE-2026-23927
Agent 2 Oracle plugin TNS connection string injection via th - CVE-2026-23926
Stored XSS vulnerability in Host navigator widget maintenanc - CVE-2026-23924
Agent 2 Docker plugin arbitrary file read via Docker API inj - CVE-2026-23923
Unauthenticated arbitrary PHP class instantiation
Same weakness: CWE-488
- CVE-2026-34391
Fleet Vulnerable to Windows MDM cross-device command disclos - CVE-2026-27492
Lettermint Node.js SDK leaks email properties to unintended - CVE-2026-23844
Whisper Money has IDOR Vulnerability on sync/balances endpoi - CVE-2026-23646
OpenProject users can delete other user's session, causing t - CVE-2025-24934
SO_REUSEPORT_LB breaks connect(2) for UDP sockets
V. Comments for CVE-2026-23919
No comments yet