Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Zabbix — Vulnerabilities & Security Advisories 83

Browse all 83 CVE security advisories affecting Zabbix. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Zabbix is an enterprise-class open-source monitoring solution designed for real-time observation of IT infrastructure, including servers, networks, and applications. Its architecture relies on a central server, database, and agents to collect performance metrics and trigger alerts. Historically, the platform has been associated with eighty-three recorded Common Vulnerabilities and Exposures (CVEs), predominantly involving SQL injection, cross-site scripting, and remote code execution flaws. These issues often stem from insufficient input validation within the web interface or improper access controls in API endpoints. While the software itself is robust, its complexity in deployment can introduce configuration weaknesses. Notable incidents have highlighted risks related to privilege escalation and unauthorized data access, emphasizing the need for rigorous patch management. Security audits frequently recommend disabling unused modules and enforcing strict network segmentation to mitigate potential exploitation vectors inherent in its extensive feature set.

Found 68 results / 83Clear Filters
Top products by Zabbix: Zabbix Frontend Zabbix Server Proxy, Server Zabbix agent (MSI packages) Web Service Report Generation
CVE IDTitleCVSSSeverityPublished
CVE-2026-23928 Stored XSS vulnerability in the Item history/Plain text widget — ZabbixCWE-79 8.2AIHighAI2026-05-06
CVE-2026-23927 Agent 2 Oracle plugin TNS connection string injection via the 'service' parameter — ZabbixCWE-522 6.5AIMediumAI2026-05-06
CVE-2026-23926 Stored XSS vulnerability in Host navigator widget maintenance tooltip — ZabbixCWE-79 7.3AIHighAI2026-05-06
CVE-2026-23924 Agent 2 Docker plugin arbitrary file read via Docker API injection — ZabbixCWE-88 6.5 -2026-03-24
CVE-2026-23923 Unauthenticated arbitrary PHP class instantiation — ZabbixCWE-470 9.8 -2026-03-24
CVE-2026-23921 Blind, read-only SQL injection in Zabbix API via sortfield parameter — ZabbixCWE-89 8.8 -2026-03-24
CVE-2026-23920 Host and event action script regex validation can be bypassed in certain situations, leading to potential command injection — ZabbixCWE-78 8.8 -2026-03-24
CVE-2026-23919 Insufficient isolation of JavaScript (Duktape) execution context on Zabbix Server — ZabbixCWE-488 2.7 -2026-03-24
CVE-2026-23925 Unauthorized host creation via configuration.import API by low-privilege user with write permissions — ZabbixCWE-863 6.5 -2026-03-06
CVE-2025-49643 Frontend DoS vulnerability due to asymmetric resource consumption — ZabbixCWE-405 6.5AIMediumAI2025-12-01
CVE-2025-49642 Agent builds for AIX vulnerable to library loading hijacking — ZabbixCWE-426 7.8AIHighAI2025-12-01
CVE-2025-27232 Frontend arbitrary file read in oauth.authorize action — ZabbixCWE-918 4.9AIMediumAI2025-12-01
CVE-2025-49641 Insufficient permission check for the problem.view.refresh action — ZabbixCWE-863 4.3 -2025-10-03
CVE-2025-27237 DLL injection in Zabbix Agent and Agent 2 via OpenSSL configuration — ZabbixCWE-427 7.8AIHighAI2025-10-03
CVE-2025-27236 User information disclosure via api_jsonrpc.php on method user.get with param search — ZabbixCWE-863 4.3 -2025-10-03
CVE-2025-27231 LDAP 'Bind password' field value can be leaked by a Zabbix Super Admin — ZabbixCWE-522 4.9 -2025-10-03
CVE-2025-27240 Secondary-order SQL injection in Zabbix Server when deleting an autoregistered host — ZabbixCWE-89 7.2 -2025-09-12
CVE-2025-27238 API hostprototype.get lists data to users with insufficient authorization. — Zabbix 5.3 -2025-09-12
CVE-2025-27233 Zabbix Agent 2 smartctl plugin argument injection in Zabbix 6.0 and later. — ZabbixCWE-77 6.5 -2025-09-12
CVE-2025-27234 Zabbix Agent 2 smartctl plugin RCE vulnerability in Zabbix 5.0. — ZabbixCWE-78 9.8 -2025-09-12
CVE-2024-45700 DoS vulnerability due to uncontrolled resource exhaustion — ZabbixCWE-770 7.5AIHighAI2025-04-02
CVE-2024-45699 Reflected XSS vulnerability in /zabbix.php?action=export.valuemaps — ZabbixCWE-79 6.1AIMediumAI2025-04-02
CVE-2024-42325 Excessive information returned by user.get — ZabbixCWE-359 7.5AIHighAI2025-04-02
CVE-2024-36469 User enumeration via timing attack in Zabbix web interface — ZabbixCWE-208 9.4AICriticalAI2025-04-02
CVE-2024-36465 SQL injection in Zabbix API — ZabbixCWE-89 8.8AIHighAI2025-04-02
CVE-2024-36466 Unauthenticated Zabbix frontend takeover when SSO is being used — ZabbixCWE-290 8.8 High2024-11-28
CVE-2024-36464 Media Types: Office365, SMTP passwords are unencrypted and visible in plaintext when exported — ZabbixCWE-256 2.7 Low2024-11-27
CVE-2024-42333 Heap buffer over-read — ZabbixCWE-126 2.7 Low2024-11-27
CVE-2024-42332 New line injection in Zabbix SNMP traps — Zabbix 3.7 Low2024-11-27
CVE-2024-42331 Use after free in browser_push_error — ZabbixCWE-416 3.3 Low2024-11-27

This page lists every published CVE security advisory associated with Zabbix. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.