Vendor CVEs
Zabbix
All CVEs
123 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-10134 | Cri | 0.73 | 9.8 | 0.83 | Feb 17, 2017 | SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php. | ||
| CVE-2014-3005 | Cri | 0.64 | 9.8 | 0.05 | Feb 1, 2018 | XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. | ||
| CVE-2016-4338 | Hig | 0.57 | 8.1 | 0.21 | Jan 23, 2017 | The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via… | ||
| CVE-2017-2824 | Hig | 0.55 | 8.1 | 0.26 | May 24, 2017 | An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to… | ||
| CVE-2026-23925 | Hig | 0.53 | 8.1 | 0.00 | Mar 6, 2026 | An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit… | ||
| CVE-2026-23928 | Hig | 0.47 | — | 0.00 | May 6, 2026 | The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The… | ||
| CVE-2026-23926 | Hig | 0.47 | — | 0.00 | May 6, 2026 | An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on… | ||
| CVE-2025-27234 | Hig | 0.47 | — | 0.00 | Sep 12, 2025 | Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. In Zabbix 5.0 this allows for remote code execution. | ||
| CVE-2025-49642 | Med | 0.38 | — | 0.00 | Dec 1, 2025 | Library loading on AIX Zabbix Agent builds can be hijacked by local users with write access to the /home/cecuser directory. | ||
| CVE-2025-27233 | Med | 0.37 | — | 0.00 | Sep 12, 2025 | Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. This can be used to leak the NTLMv2 hash from a Windows system. | ||
| CVE-2026-23927 | Med | 0.33 | — | 0.00 | May 6, 2026 | A user able to connect to Agent 2 can inject an Oracle TNS connection string via the 'service' parameter. This can lead to Agent 2 connecting to an attacker-controlled server and leaking Oracle database credentials if they are saved in a named session. | ||
| CVE-2022-23131 | 0.20 | — | 0.96 | KEV | Jan 13, 2022 | In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and… | ||
| CVE-2022-23134 | 0.19 | — | 0.85 | KEV | Jan 13, 2022 | After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend. | ||
| CVE-2013-3628 | 0.10 | — | 0.67 | Feb 7, 2020 | Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability | |||
| CVE-2013-5743 | 0.09 | — | 0.80 | Dec 11, 2019 | Multiple SQL injection vulnerabilities in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.9rc1, and 2.1.x before 2.1.7. | |||
| CVE-2024-22120 | 0.07 | — | 0.77 | May 17, 2024 | Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection. | |||
| CVE-2019-17382 | 0.07 | — | 0.54 | Oct 9, 2019 | An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All… | |||
| CVE-2009-4498 | 0.06 | — | 0.32 | Dec 31, 2009 | The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request. | |||
| CVE-2009-4502 | 0.05 | — | 0.22 | Dec 31, 2009 | The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary commands via shell metacharacters in the argument to net.tcp.listen. NOTE: this attack… | |||
| CVE-2020-11800 | 0.04 | — | 0.09 | Oct 7, 2020 | Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code. | |||
| CVE-2009-4501 | 0.04 | — | 0.09 | Dec 31, 2009 | The zbx_get_next_field function in libs/zbxcommon/str.c in Zabbix Server before 1.6.8 allows remote attackers to cause a denial of service (crash) via a request that lacks expected separators, which triggers a NULL pointer dereference, as demonstrated using the Command keyword. | |||
| CVE-2006-6692 | 0.04 | — | 0.08 | Dec 21, 2006 | Multiple format string vulnerabilities in zabbix before 20061006 allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in information that would be recorded in the system log using (1) zabbix_log or (2)… | |||
| CVE-2024-42327 | 0.03 | — | 0.79 | Nov 27, 2024 | A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function… | |||
| CVE-2013-5572 | 0.03 | — | 0.04 | Oct 1, 2013 | Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code. | |||
| CVE-2012-3435 | 0.03 | — | 0.04 | Aug 15, 2012 | SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter. | |||
| CVE-2011-4674 | 0.03 | — | 0.03 | Dec 2, 2011 | SQL injection vulnerability in popup.php in Zabbix 1.8.3 and 1.8.4, and possibly other versions before 1.8.9, allows remote attackers to execute arbitrary SQL commands via the only_hostid parameter. | |||
| CVE-2009-4499 | 0.03 | — | 0.02 | Dec 31, 2009 | SQL injection vulnerability in the get_history_lastid function in the nodewatcher component in Zabbix Server before 1.6.8 allows remote attackers to execute arbitrary SQL commands via a crafted request, possibly related to the send_history_last_id function in… | |||
| CVE-2008-1353 | 0.03 | — | 0.06 | Mar 17, 2008 | zabbix_agentd in ZABBIX 1.4.4 allows remote attackers to cause a denial of service (CPU and connection consumption) via multiple vfs.file.cksum commands with a special device node such as /dev/urandom or /dev/zero. | |||
| CVE-2007-6210 | 0.03 | — | 0.01 | Dec 4, 2007 | zabbix_agentd 1.1.4 in ZABBIX before 1.4.3 runs "UserParameter" scripts with gid 0, which might allow local users to gain privileges. | |||
| CVE-2013-3738 | 0.01 | — | 0.03 | Feb 17, 2020 | A File Inclusion vulnerability exists in Zabbix 2.0.6 due to inadequate sanitization of request strings in CGI scripts, which could let a remote malicious user execute arbitrary code. | |||
| CVE-2026-23924 | 0.00 | — | 0.00 | Mar 24, 2026 | Zabbix Agent 2 Docker plugin does not properly sanitize the 'docker.container_info' parameters when forwarding them to the Docker daemon. An attacker capable of invoking Agent 2 can read arbitrary files from running Docker containers by injecting them via the Docker archive API. | |||
| CVE-2026-23923 | 0.00 | — | 0.00 | Mar 24, 2026 | An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time. | |||
| CVE-2026-23921 | 0.00 | — | 0.00 | Mar 24, 2026 | A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary… | |||
| CVE-2026-23920 | 0.00 | — | 0.00 | Mar 24, 2026 | Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands. | |||
| CVE-2026-23919 | 0.00 | — | 0.00 | Mar 24, 2026 | For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A… | |||
| CVE-2025-49643 | 0.00 | — | 0.00 | Dec 1, 2025 | An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of service. | |||
| CVE-2025-27232 | 0.00 | — | 0.00 | Dec 1, 2025 | An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss. | |||
| CVE-2025-49641 | 0.00 | — | 0.00 | Oct 3, 2025 | A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems. | |||
| CVE-2025-27236 | 0.00 | — | 0.00 | Oct 3, 2025 | A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to. | |||
| CVE-2025-27231 | 0.00 | — | 0.00 | Oct 3, 2025 | The LDAP 'Bind password' value cannot be read after saving, but a Super Admin account can leak it by changing LDAP 'Host' to a rogue LDAP server. To mitigate this, the 'Bind password' value is now reset on 'Host' change. | |||
| CVE-2025-27240 | 0.00 | — | 0.01 | Sep 12, 2025 | A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field. | |||
| CVE-2025-27238 | 0.00 | — | 0.00 | Sep 12, 2025 | Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user groups assigned to them. | |||
| CVE-2024-45700 | 0.00 | — | 0.00 | Apr 2, 2025 | Zabbix server is vulnerable to a DoS vulnerability due to uncontrolled resource exhaustion. An attacker can send specially crafted requests to the server, which will cause the server to allocate an excessive amount of memory and perform CPU-intensive decompression operations,… | |||
| CVE-2024-45699 | 0.00 | — | 0.00 | Apr 2, 2025 | The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross-Site Scripting vulnerability via the backurl parameter. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be… | |||
| CVE-2024-42325 | 0.00 | — | 0.00 | Apr 2, 2025 | Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc. | |||
| CVE-2024-36469 | 0.00 | — | 0.00 | Apr 2, 2025 | Execution time for an unsuccessful login differs when using a non-existing username compared to using an existing one. | |||
| CVE-2024-36465 | 0.00 | — | 0.23 | Apr 2, 2025 | A low privilege (regular) Zabbix user with API access can use SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL commands via the groupBy parameter. | |||
| CVE-2024-36466 | 0.00 | — | 0.01 | Nov 28, 2024 | A bug in the code allows an attacker to sign a forged zbx_session cookie, which then allows them to sign in with admin permissions. | |||
| CVE-2024-36464 | 0.00 | — | 0.01 | Nov 27, 2024 | When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these… | |||
| CVE-2024-42333 | 0.00 | — | 0.01 | Nov 27, 2024 | The researcher is showing that it is possible to leak a small amount of Zabbix Server memory using an out of bounds read in src/libs/zbxmedia/email.c |
- risk 0.73cvss 9.8epss 0.83
SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php.
- risk 0.64cvss 9.8epss 0.05
XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.
- risk 0.57cvss 8.1epss 0.21
The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via…
- risk 0.55cvss 8.1epss 0.26
An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to…
- risk 0.53cvss 8.1epss 0.00
An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit…
- risk 0.47cvss —epss 0.00
The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The…
- risk 0.47cvss —epss 0.00
An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on…
- risk 0.47cvss —epss 0.00
Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. In Zabbix 5.0 this allows for remote code execution.
- risk 0.38cvss —epss 0.00
Library loading on AIX Zabbix Agent builds can be hijacked by local users with write access to the /home/cecuser directory.
- risk 0.37cvss —epss 0.00
Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. This can be used to leak the NTLMv2 hash from a Windows system.
- risk 0.33cvss —epss 0.00
A user able to connect to Agent 2 can inject an Oracle TNS connection string via the 'service' parameter. This can lead to Agent 2 connecting to an attacker-controlled server and leaking Oracle database credentials if they are saved in a named session.
- risk 0.20cvss —epss 0.96
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and…
- risk 0.19cvss —epss 0.85
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
- CVE-2013-3628Feb 7, 2020risk 0.10cvss —epss 0.67
Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability
- CVE-2013-5743Dec 11, 2019risk 0.09cvss —epss 0.80
Multiple SQL injection vulnerabilities in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.9rc1, and 2.1.x before 2.1.7.
- CVE-2024-22120May 17, 2024risk 0.07cvss —epss 0.77
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.
- CVE-2019-17382Oct 9, 2019risk 0.07cvss —epss 0.54
An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All…
- CVE-2009-4498Dec 31, 2009risk 0.06cvss —epss 0.32
The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request.
- CVE-2009-4502Dec 31, 2009risk 0.05cvss —epss 0.22
The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary commands via shell metacharacters in the argument to net.tcp.listen. NOTE: this attack…
- CVE-2020-11800Oct 7, 2020risk 0.04cvss —epss 0.09
Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code.
- CVE-2009-4501Dec 31, 2009risk 0.04cvss —epss 0.09
The zbx_get_next_field function in libs/zbxcommon/str.c in Zabbix Server before 1.6.8 allows remote attackers to cause a denial of service (crash) via a request that lacks expected separators, which triggers a NULL pointer dereference, as demonstrated using the Command keyword.
- CVE-2006-6692Dec 21, 2006risk 0.04cvss —epss 0.08
Multiple format string vulnerabilities in zabbix before 20061006 allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in information that would be recorded in the system log using (1) zabbix_log or (2)…
- CVE-2024-42327Nov 27, 2024risk 0.03cvss —epss 0.79
A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function…
- CVE-2013-5572Oct 1, 2013risk 0.03cvss —epss 0.04
Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code.
- CVE-2012-3435Aug 15, 2012risk 0.03cvss —epss 0.04
SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter.
- CVE-2011-4674Dec 2, 2011risk 0.03cvss —epss 0.03
SQL injection vulnerability in popup.php in Zabbix 1.8.3 and 1.8.4, and possibly other versions before 1.8.9, allows remote attackers to execute arbitrary SQL commands via the only_hostid parameter.
- CVE-2009-4499Dec 31, 2009risk 0.03cvss —epss 0.02
SQL injection vulnerability in the get_history_lastid function in the nodewatcher component in Zabbix Server before 1.6.8 allows remote attackers to execute arbitrary SQL commands via a crafted request, possibly related to the send_history_last_id function in…
- CVE-2008-1353Mar 17, 2008risk 0.03cvss —epss 0.06
zabbix_agentd in ZABBIX 1.4.4 allows remote attackers to cause a denial of service (CPU and connection consumption) via multiple vfs.file.cksum commands with a special device node such as /dev/urandom or /dev/zero.
- CVE-2007-6210Dec 4, 2007risk 0.03cvss —epss 0.01
zabbix_agentd 1.1.4 in ZABBIX before 1.4.3 runs "UserParameter" scripts with gid 0, which might allow local users to gain privileges.
- CVE-2013-3738Feb 17, 2020risk 0.01cvss —epss 0.03
A File Inclusion vulnerability exists in Zabbix 2.0.6 due to inadequate sanitization of request strings in CGI scripts, which could let a remote malicious user execute arbitrary code.
- CVE-2026-23924Mar 24, 2026risk 0.00cvss —epss 0.00
Zabbix Agent 2 Docker plugin does not properly sanitize the 'docker.container_info' parameters when forwarding them to the Docker daemon. An attacker capable of invoking Agent 2 can read arbitrary files from running Docker containers by injecting them via the Docker archive API.
- CVE-2026-23923Mar 24, 2026risk 0.00cvss —epss 0.00
An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.
- CVE-2026-23921Mar 24, 2026risk 0.00cvss —epss 0.00
A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary…
- CVE-2026-23920Mar 24, 2026risk 0.00cvss —epss 0.00
Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.
- CVE-2026-23919Mar 24, 2026risk 0.00cvss —epss 0.00
For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A…
- CVE-2025-49643Dec 1, 2025risk 0.00cvss —epss 0.00
An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of service.
- CVE-2025-27232Dec 1, 2025risk 0.00cvss —epss 0.00
An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss.
- CVE-2025-49641Oct 3, 2025risk 0.00cvss —epss 0.00
A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems.
- CVE-2025-27236Oct 3, 2025risk 0.00cvss —epss 0.00
A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to.
- CVE-2025-27231Oct 3, 2025risk 0.00cvss —epss 0.00
The LDAP 'Bind password' value cannot be read after saving, but a Super Admin account can leak it by changing LDAP 'Host' to a rogue LDAP server. To mitigate this, the 'Bind password' value is now reset on 'Host' change.
- CVE-2025-27240Sep 12, 2025risk 0.00cvss —epss 0.01
A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field.
- CVE-2025-27238Sep 12, 2025risk 0.00cvss —epss 0.00
Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user groups assigned to them.
- CVE-2024-45700Apr 2, 2025risk 0.00cvss —epss 0.00
Zabbix server is vulnerable to a DoS vulnerability due to uncontrolled resource exhaustion. An attacker can send specially crafted requests to the server, which will cause the server to allocate an excessive amount of memory and perform CPU-intensive decompression operations,…
- CVE-2024-45699Apr 2, 2025risk 0.00cvss —epss 0.00
The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross-Site Scripting vulnerability via the backurl parameter. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be…
- CVE-2024-42325Apr 2, 2025risk 0.00cvss —epss 0.00
Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc.
- CVE-2024-36469Apr 2, 2025risk 0.00cvss —epss 0.00
Execution time for an unsuccessful login differs when using a non-existing username compared to using an existing one.
- CVE-2024-36465Apr 2, 2025risk 0.00cvss —epss 0.23
A low privilege (regular) Zabbix user with API access can use SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL commands via the groupBy parameter.
- CVE-2024-36466Nov 28, 2024risk 0.00cvss —epss 0.01
A bug in the code allows an attacker to sign a forged zbx_session cookie, which then allows them to sign in with admin permissions.
- CVE-2024-36464Nov 27, 2024risk 0.00cvss —epss 0.01
When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these…
- CVE-2024-42333Nov 27, 2024risk 0.00cvss —epss 0.01
The researcher is showing that it is possible to leak a small amount of Zabbix Server memory using an out of bounds read in src/libs/zbxmedia/email.c
Page 1 of 3