CVE-2026-23926 PUBLISHED

Stored XSS vulnerability in Host navigator widget maintenance tooltip

Assigner: Zabbix
Reserved: 19.01.2026 Published: 06.05.2026 Updated: 06.05.2026

An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	High
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	Zabbix
Product	Zabbix
Versions	Default: unknown affected from 7.0.0 to 7.0.23 (incl.) affected from 7.4.0 to 7.4.7 (incl.)

Affected Configurations

An attacker creating a malicious maintenance period that must then be shown and opened via the Host navigator widget.

Workarounds

Disable the Host navigator widget via Administration -> General -> Modules.

Solutions

Update the affected components to their respective fixed versions.

Credits

Zabbix wants to thank Daniel Santos (@bananabr) for submitting this report on the HackerOne bug bounty platform. reporter

References

https://support.zabbix.com/browse/ZBX-27758

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE

Impacts

CAPEC-592: Stored XSS