VYPR
Unrated severityNVD Advisory· Published Mar 24, 2026· Updated Mar 26, 2026

Blind, read-only SQL injection in Zabbix API via sortfield parameter

CVE-2026-23921

Description

A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Zabbix/Zabbixllm-fuzzy2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: 7.0.0

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.