CVE-2026-23923

UNKNOWN 0.0

Unauthenticated arbitrary PHP class instantiation

CVSS Score

0.0

EPSS Score

0.1%

EPSS Percentile

17th

An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.

CWE	CWE-470
Vendor	zabbix
Product	zabbix
Published	Mar 24, 2026
Last Updated	Mar 25, 2026

Stay Ahead of the Next One

Get instant alerts for zabbix zabbix

Be the first to know when new unknown vulnerabilities affecting zabbix zabbix are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Zabbix / Zabbix

7.4.0 ≤ 7.4.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

support.zabbix.com: https://support.zabbix.com/browse/ZBX-27641

Credits

🔍 Zabbix wants to thank pitticus for submitting this report on the HackerOne bug bounty platform.