1. Home
  2. CVE Database
  3. CVE-2026-23928
NONE · 0

CVE-2026-23928

The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actio...

Vulnerability Description

The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would have to come from a monitored host controlled by the attacker. Note: the Item history widget is a replacement for the Plain text widget since Zabbix 7.0.

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2026-23928?

CVE-2026-23928 is a documented vulnerability. The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actio...

How severe is CVE-2026-23928?

CVSS scoring is not yet available for CVE-2026-23928. Check NVD for updates.

Is there a patch for CVE-2026-23928?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.