Stored XSS vulnerability in Host navigator widget maintenance tooltip

7.3 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip.

Basic Information

ID CVE-2026-23926

Source Zabbix

Published May 6, 2026 at 06:58

Affected Product

Vendor Zabbix

Product Zabbix

Version 7.0.0

Affected Versions Zabbix Zabbix 7.0.0
Zabbix Zabbix 7.4.0

CWE Classification

CWE-79

References

support.zabbix.com /browse/ZBX-27758

{
    "lastseen": "",
    "description": "An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip.",
    "published": "2026-05-06T06:58:51.362Z",
    "modified": "2026-05-06T06:58:51.362Z",
    "type": "cve",
    "title": "Stored XSS vulnerability in Host navigator widget maintenance tooltip",
    "source": "Zabbix",
    "references": "https://support.zabbix.com/browse/ZBX-27758",
    "id": "CVE-2026-23926",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "Zabbix Zabbix 7.0.0\nZabbix Zabbix 7.4.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.3,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Zabbix",
    "version": "7.0.0",
    "vendor": "Zabbix",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Stored XSS vulnerability in Host navigator widget maintenance tooltip_CVE-2026-23926