Zabbix
Sign in to watchby Zabbix
Source repositories
CVEs (91)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2016-10134 | Cri | 0.74 | 9.8 | 0.86 | Feb 17, 2017 | SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php. | |
| CVE-2017-2824 | Hig | 0.59 | 8.1 | 0.74 | May 24, 2017 | An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability. | |
| CVE-2026-23926 | Hig | 0.47 | — | 0.00 | May 6, 2026 | An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip. | |
| CVE-2024-42327 | 0.10 | — | 0.92 | Nov 27, 2024 | A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access. | ||
| CVE-2013-3628 | 0.10 | — | 0.89 | Feb 7, 2020 | Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability | ||
| CVE-2009-4498 | 0.09 | — | 0.72 | Dec 31, 2009 | The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request. | ||
| CVE-2009-4502 | 0.08 | — | 0.64 | Dec 31, 2009 | The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary commands via shell metacharacters in the argument to net.tcp.listen. NOTE: this attack is limited to attacks from trusted IP addresses. | ||
| CVE-2024-22120 | 0.07 | — | 0.92 | May 17, 2024 | Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection. | ||
| CVE-2013-5572 | 0.04 | — | 0.08 | Oct 1, 2013 | Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code. | ||
| CVE-2012-3435 | 0.03 | — | 0.02 | Aug 15, 2012 | SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter. | ||
| CVE-2011-4674 | 0.03 | — | 0.00 | Dec 2, 2011 | SQL injection vulnerability in popup.php in Zabbix 1.8.3 and 1.8.4, and possibly other versions before 1.8.9, allows remote attackers to execute arbitrary SQL commands via the only_hostid parameter. | ||
| CVE-2009-4501 | 0.03 | — | 0.05 | Dec 31, 2009 | The zbx_get_next_field function in libs/zbxcommon/str.c in Zabbix Server before 1.6.8 allows remote attackers to cause a denial of service (crash) via a request that lacks expected separators, which triggers a NULL pointer dereference, as demonstrated using the Command keyword. | ||
| CVE-2009-4499 | 0.03 | — | 0.00 | Dec 31, 2009 | SQL injection vulnerability in the get_history_lastid function in the nodewatcher component in Zabbix Server before 1.6.8 allows remote attackers to execute arbitrary SQL commands via a crafted request, possibly related to the send_history_last_id function in zabbix_server/trapper/nodehistory.c. | ||
| CVE-2008-1353 | 0.03 | — | 0.06 | Mar 17, 2008 | zabbix_agentd in ZABBIX 1.4.4 allows remote attackers to cause a denial of service (CPU and connection consumption) via multiple vfs.file.cksum commands with a special device node such as /dev/urandom or /dev/zero. | ||
| CVE-2006-6692 | 0.03 | — | 0.06 | Dec 21, 2006 | Multiple format string vulnerabilities in zabbix before 20061006 allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in information that would be recorded in the system log using (1) zabbix_log or (2) zabbix_syslog. | ||
| CVE-2026-23924 | 0.00 | — | 0.00 | Mar 24, 2026 | Zabbix Agent 2 Docker plugin does not properly sanitize the 'docker.container_info' parameters when forwarding them to the Docker daemon. An attacker capable of invoking Agent 2 can read arbitrary files from running Docker containers by injecting them via the Docker archive API. | ||
| CVE-2026-23923 | 0.00 | — | 0.00 | Mar 24, 2026 | An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time. | ||
| CVE-2026-23921 | 0.00 | — | 0.00 | Mar 24, 2026 | A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise. | ||
| CVE-2026-23920 | 0.00 | — | 0.00 | Mar 24, 2026 | Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands. | ||
| CVE-2026-23919 | 0.00 | — | 0.00 | Mar 24, 2026 | For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information <a href='https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe'>in Zabbix documentation</a>. |