CVE-2026-23928 Overview
CVE-2026-23928 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting Zabbix monitoring software. The Item history widget in Zabbix 7.0+ and the Plain text widget in Zabbix 6.0 execute injected JavaScript when the HTML display option is enabled. An attacker who controls a monitored host can inject malicious payloads into item values, which then run in the browser of any user who opens a dashboard containing the affected widget. The Item history widget replaces the Plain text widget starting in Zabbix 7.0, so both product lines remain in scope.
Critical Impact
Attackers controlling a monitored host can execute arbitrary JavaScript in dashboard viewers' browsers, performing actions in their authenticated Zabbix session.
Affected Products
- Zabbix 6.0 (Plain text widget)
- Zabbix 7.0 and later (Item history widget)
- Dashboards with HTML display enabled on the affected widgets
Discovery Timeline
- 2026-05-06 - CVE-2026-23928 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-23928
Vulnerability Analysis
The flaw is a stored XSS issue in two Zabbix dashboard widgets that render item history values. When an administrator enables the HTML display option, widget output is rendered without sufficient sanitization or contextual encoding. JavaScript embedded in monitored item data is parsed and executed by the browser when a user views the dashboard.
Exploitation requires the attacker to control a monitored host that submits values to Zabbix, and requires a privileged user to enable HTML display on the widget. A victim user must then open the affected dashboard, satisfying the user-interaction requirement reflected in the CVSS vector. Successful execution runs in the dashboard viewer's authenticated session, enabling unauthorized actions tied to that user's role.
Root Cause
The widgets treat item history values as trusted HTML when the HTML display setting is active. Output encoding and HTML sanitization are not enforced on data originating from monitored hosts, violating the principle that agent-supplied input must be considered untrusted.
Attack Vector
The attack path begins on a compromised or attacker-controlled monitored host. The attacker writes a payload such as a <script> block or an event-handler attribute into an item value collected by the Zabbix agent. The malicious value is stored in the Zabbix history database. When a Zabbix user loads a dashboard containing an Item history or Plain text widget configured to display HTML, the browser parses and executes the payload in the context of the Zabbix frontend origin.
For specific reproduction details, consult the Zabbix Issue Tracker Entry (ZBX-27760).
Detection Methods for CVE-2026-23928
Indicators of Compromise
- Item history values containing HTML tags such as <script>, <img onerror=>, <svg onload=>, or javascript: URIs
- Dashboard widgets of type Item history or Plain text with the HTML display option enabled on items receiving data from untrusted hosts
- Unexpected outbound HTTP requests originating from Zabbix frontend user sessions to attacker-controlled domains
Detection Strategies
- Audit the Zabbix history and history_str tables for entries containing HTML or JavaScript syntax sourced from monitored hosts
- Enumerate dashboards and widgets to identify any Item history or Plain text widget configured with HTML rendering enabled
- Review web server access logs for anomalous referer chains from /zabbix.php?action=dashboard.view followed by requests to external domains
Monitoring Recommendations
- Alert on browser Content Security Policy (CSP) violation reports from the Zabbix frontend
- Monitor for changes to widget configuration that toggle the HTML display option
- Track Zabbix API session activity for unusual actions performed shortly after dashboard loads, such as user creation or script execution
How to Mitigate CVE-2026-23928
Immediate Actions Required
- Disable the HTML display option on all Item history and Plain text widgets until patched versions are deployed
- Restrict trust on monitored hosts and validate that agents are not submitting unexpected payloads in item values
- Limit dashboard editing privileges to reduce the population of users who can enable HTML rendering on widgets
Patch Information
Apply the fixed Zabbix versions referenced in the Zabbix Issue Tracker Entry (ZBX-27760). Upgrade Zabbix 6.0 LTS and Zabbix 7.0+ deployments to the latest maintenance releases that address this issue. Validate the fix in a staging environment before promoting to production.
Workarounds
- Edit each affected widget and uncheck the HTML display option, forcing values to render as plain text
- Apply input validation on item preprocessing steps to strip or escape HTML tags using regex replacement or the Replace preprocessor
- Enforce a strict Content Security Policy on the Zabbix frontend that disallows inline scripts to reduce the impact of residual injection points
# Example Zabbix item preprocessing rule (Replace step)
# Pattern: <[^>]+>
# Replacement: (empty string)
# Apply to all text/character items received from agents to strip HTML tags before storage
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
