Home

Description

Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.

PUBLISHED Reserved 2026-01-19 | Published 2026-03-24 | Updated 2026-03-26 | Assigner Zabbix




HIGH: 7.7CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78 CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unknown

7.0.0 (git)
affected

7.2.0 (git)
affected

7.4.0 (git)
affected

Credits

Zabbix wants to thank YoKo Kho (@YoKoAcc) from PT ITSEC Asia, Tbk for submitting this report on the HackerOne bug bounty platform. reporter

References

support.zabbix.com/browse/ZBX-27639

cve.org (CVE-2026-23920)

nvd.nist.gov (CVE-2026-23920)

Download JSON