CVE-2026-23928 PUBLISHED

Stored XSS vulnerability in the Item history/Plain text widget

Assigner: Zabbix
Reserved: 19.01.2026 Published: 06.05.2026 Updated: 06.05.2026

The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would have to come from a monitored host controlled by the attacker. Note: the Item history widget is a replacement for the Plain text widget since Zabbix 7.0.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	High
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	Zabbix
Product	Zabbix
Versions	Default: unknown affected from 6.0.0 to 6.0.44 (incl.) affected from 7.0.0 to 7.0.23 (incl.) affected from 7.4.0 to 7.4.7 (incl.)

Affected Configurations

An attacker controlled monitored host can send in malicious JavaScript payload that is then executed by the Item history/Plain text widget.

Workarounds

Do not use HTML display in Item history/Plain text widget or disable this widget entirely in Administration -> General -> Modules (Zabbix 7.0+).

Solutions

Update the affected components to their respective fixed versions.

References

https://support.zabbix.com/browse/ZBX-27760

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE

Impacts

CAPEC-592: Stored XSS