Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

Zabbix — Vulnerabilities & Security Advisories 70

All 70 CVE vulnerabilities found in Zabbix, with AI-generated Chinese analysis, references, and POCs.

This page is a vulnerability aggregation resource for Zabbix, focusing on Common Weakness Enumeration (CWE) classifications associated with the monitoring software. It compiles data on security weaknesses, including configuration errors, input validation flaws, and privilege escalation issues, covering vulnerability disclosures from 2008 through the present. Visitors can use this collection to track vendor advisories issued by Zabbix SIA, understand the prevalence and impact of specific weakness classes within the product ecosystem, and look up the complete historical record of vulnerabilities affecting Zabbix versions. The information is organized to help security professionals assess the risk landscape, identify recurring patterns in past incidents, and verify patch availability for known issues. By aggregating details from multiple sources, this resource provides a centralized view of the security posture of Zabbix over time. It serves as a reference for administrators seeking to prioritize remediation efforts and for analysts conducting threat intelligence research. The page does not include predictive analysis or exploit code, but rather factual data regarding identified weaknesses and their resolution status. Users can filter entries by severity, release version, or specific CWE identifiers to narrow down relevant findings. This structured approach facilitates a deeper understanding of how vulnerabilities in Zabbix have evolved and been addressed by the development team, supporting informed decision-making regarding system hardening and upgrade strategies.

Vendor: Zabbix

CVE IDTitleCVSSSeverityPublished
CVE-2026-23928 Stored XSS vulnerability in the Item history/Plain text widget CWE-79 8.2AIHighAI2026-05-06
CVE-2026-23927 Agent 2 Oracle plugin TNS connection string injection via the 'service' parameter CWE-522 6.5AIMediumAI2026-05-06
CVE-2026-23926 Stored XSS vulnerability in Host navigator widget maintenance tooltip CWE-79 7.3AIHighAI2026-05-06
CVE-2026-23924 Agent 2 Docker plugin arbitrary file read via Docker API injection CWE-88 6.5 -2026-03-24
CVE-2026-23923 Unauthenticated arbitrary PHP class instantiation CWE-470 9.8 -2026-03-24
CVE-2026-23921 Blind, read-only SQL injection in Zabbix API via sortfield parameter CWE-89 8.8 -2026-03-24
CVE-2026-23920 Host and event action script regex validation can be bypassed in certain situations, leading to potential command injection CWE-78 8.8 -2026-03-24
CVE-2026-23919 Insufficient isolation of JavaScript (Duktape) execution context on Zabbix Server CWE-488 2.7 -2026-03-24
CVE-2026-23925 Unauthorized host creation via configuration.import API by low-privilege user with write permissions CWE-863 6.5 -2026-03-06
CVE-2025-49643 Frontend DoS vulnerability due to asymmetric resource consumption CWE-405 6.5AIMediumAI2025-12-01
CVE-2025-49642 Agent builds for AIX vulnerable to library loading hijacking CWE-426 7.8AIHighAI2025-12-01
CVE-2025-27232 Frontend arbitrary file read in oauth.authorize action CWE-918 4.9AIMediumAI2025-12-01
CVE-2025-49641 Insufficient permission check for the problem.view.refresh action CWE-863 4.3 -2025-10-03
CVE-2025-27237 DLL injection in Zabbix Agent and Agent 2 via OpenSSL configuration CWE-427 7.8AIHighAI2025-10-03
CVE-2025-27236 User information disclosure via api_jsonrpc.php on method user.get with param search CWE-863 4.3 -2025-10-03
CVE-2025-27231 LDAP 'Bind password' field value can be leaked by a Zabbix Super Admin CWE-522 4.9 -2025-10-03
CVE-2025-27240 Secondary-order SQL injection in Zabbix Server when deleting an autoregistered host CWE-89 7.2 -2025-09-12
CVE-2025-27238 API hostprototype.get lists data to users with insufficient authorization. 5.3 -2025-09-12
CVE-2025-27233 Zabbix Agent 2 smartctl plugin argument injection in Zabbix 6.0 and later. CWE-77 6.5 -2025-09-12
CVE-2025-27234 Zabbix Agent 2 smartctl plugin RCE vulnerability in Zabbix 5.0. CWE-78 9.8 -2025-09-12
CVE-2024-45700 DoS vulnerability due to uncontrolled resource exhaustion CWE-770 7.5AIHighAI2025-04-02
CVE-2024-45699 Reflected XSS vulnerability in /zabbix.php?action=export.valuemaps CWE-79 6.1AIMediumAI2025-04-02
CVE-2024-42325 Excessive information returned by user.get CWE-359 7.5AIHighAI2025-04-02
CVE-2024-36469 User enumeration via timing attack in Zabbix web interface CWE-208 9.4AICriticalAI2025-04-02
CVE-2024-36465 SQL injection in Zabbix API CWE-89 8.8AIHighAI2025-04-02
CVE-2024-36466 Unauthenticated Zabbix frontend takeover when SSO is being used CWE-290 8.8 High2024-11-28
CVE-2024-36464 Media Types: Office365, SMTP passwords are unencrypted and visible in plaintext when exported CWE-256 2.7 Low2024-11-27
CVE-2024-42333 Heap buffer over-read CWE-126 2.7 Low2024-11-27
CVE-2024-42332 New line injection in Zabbix SNMP traps 3.7 Low2024-11-27
CVE-2024-42331 Use after free in browser_push_error CWE-416 3.3 Low2024-11-27

All 70 known CVE vulnerabilities affecting Zabbix with full Chinese analysis, references, and POCs where available.