CVE-2026-23921

UNKNOWN 0.0

Blind, read-only SQL injection in Zabbix API via sortfield parameter

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

9th

A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.

CWE	CWE-89
Vendor	zabbix
Product	zabbix
Published	Mar 24, 2026
Last Updated	Mar 26, 2026

Stay Ahead of the Next One

Get instant alerts for zabbix zabbix

Be the first to know when new unknown vulnerabilities affecting zabbix zabbix are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Zabbix / Zabbix

7.0.0 ≤ 7.0.21 7.2.0 ≤ 7.2.14 7.4.0 ≤ 7.4.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

support.zabbix.com: https://support.zabbix.com/browse/ZBX-27640

Credits

🔍 Zabbix wants to thank SeaWind for submitting this report on the HackerOne bug bounty platform.