CVE-2026-23920

UNKNOWN 0.0

Host and event action script regex validation can be bypassed in certain situations, leading to potential command injection

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

14th

Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.

CWE	CWE-78
Vendor	zabbix
Product	zabbix
Published	Mar 24, 2026
Last Updated	Mar 26, 2026

Stay Ahead of the Next One

Get instant alerts for zabbix zabbix

Be the first to know when new unknown vulnerabilities affecting zabbix zabbix are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Zabbix / Zabbix

7.0.0 ≤ 7.0.21 7.2.0 ≤ 7.2.14 7.4.0 ≤ 7.4.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

support.zabbix.com: https://support.zabbix.com/browse/ZBX-27639

Credits

🔍 Zabbix wants to thank YoKo Kho (@YoKoAcc) from PT ITSEC Asia, Tbk for submitting this report on the HackerOne bug bounty platform.