CVE-2026-23926

UNKNOWN 0.0

Stored XSS vulnerability in Host navigator widget maintenance tooltip

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip.

CWE	CWE-79
Vendor	zabbix
Product	zabbix
Published	May 6, 2026

Stay Ahead of the Next One

Get instant alerts for zabbix zabbix

Be the first to know when new unknown vulnerabilities affecting zabbix zabbix are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Zabbix / Zabbix

7.0.0 ≤ 7.0.23 7.4.0 ≤ 7.4.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

support.zabbix.com: https://support.zabbix.com/browse/ZBX-27758

Credits

🔍 Zabbix wants to thank Daniel Santos (@bananabr) for submitting this report on the HackerOne bug bounty platform.