CVE-2026-23923 | THREATINT

Description

An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.

PUBLISHED Reserved 2026-01-19 | Published 2026-03-24 | Updated 2026-03-25 | Assigner Zabbix

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Product status

Default status

unknown

7.4.0 (git)

affected

Credits

Zabbix wants to thank pitticus for submitting this report on the HackerOne bug bounty platform. reporter

References

support.zabbix.com/browse/ZBX-27641

cve.org (CVE-2026-23923)

nvd.nist.gov (CVE-2026-23923)

Download JSON