🔐 CVE Alert

CVE-2025-27240

UNKNOWN 0.0

Secondary-order SQL injection in Zabbix Server when deleting an autoregistered host

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field.

CWE CWE-89
Vendor zabbix
Product zabbix
Published Sep 12, 2025
Last Updated Feb 26, 2026
Stay Ahead of the Next One

Get instant alerts for zabbix zabbix

Be the first to know when new unknown vulnerabilities affecting zabbix zabbix are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Zabbix / Zabbix
6.0.0 ≤ 6.0.33 6.4.0 ≤ 6.4.18 7.0.0 ≤ 7.0.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗
support.zabbix.com: https://support.zabbix.com/browse/ZBX-26986

Credits

🔍 Zabbix wants to thank Grzegorz Muszyński (szerszen199) for submitting this report on the HackerOne bug bounty platform.