CVE-2026-23928
Stored XSS vulnerability in the Item history/Plain text widget
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would have to come from a monitored host controlled by the attacker. Note: the Item history widget is a replacement for the Plain text widget since Zabbix 7.0.
| CWE | CWE-79 |
| Vendor | zabbix |
| Product | zabbix |
| Published | May 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for zabbix zabbix
Be the first to know when new unknown vulnerabilities affecting zabbix zabbix are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Zabbix / Zabbix
6.0.0 โค 6.0.44 7.0.0 โค 7.0.23 7.4.0 โค 7.4.7