EXECUTIVE SUMMARY:
Zabbix has addressed vulnerabilities affecting its monitoring platform, including Stored Cross-Site Scripting (XSS) flaws and an Oracle injection issue. One issue is present in the Host navigator widget, where an authenticated non-super administrator can inject malicious JavaScript into maintenance periods. When other users interact with tooltips in the widget, the payload executes in their browser, potentially enabling unauthorized actions, session abuse, or privilege escalation. Additional issues include an XSS flaw in the Item history widget and an Oracle plugin injection vulnerability in Agent 2 that could expose sensitive database credentials. These weaknesses highlight risks of client-side script execution and backend data exposure in enterprise monitoring environments. CVE-2026-23926 with a CVSS score of 7.3 – It is an authenticated administrator can inject JavaScript into a maintenance period. The payload executes when any user opens the tooltip in the Host navigator widget, enabling unauthorized actions under the victim’s session context. CVE-2026-23928 with a CVSS score of 7.3 – It is an compromised or malicious monitored host can inject JavaScript into item history data. When an administrator views the data via the Plain text widget, the script executes in the browser, potentially allowing credential theft or session hijacking. CVE-2026-23927 with a CVSS score of 5.1 – It is an Improper sanitization of Oracle connection parameters allows injection of a malicious TNS string. This can force Agent 2 to connect to attacker-controlled systems, potentially leaking Oracle database credentials.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Zabbix has addressed vulnerabilities affecting its monitoring platform, including Stored Cross-Site Scripting (XSS) flaws and an Oracle injection issue. One issue is present in the Host navigator widget, where an authenticated non-super administrator can inject malicious JavaScript into maintenance periods. When other users interact with tooltips in the widget, the payload executes in their browser, potentially enabling unauthorized actions, session abuse, or privilege escalation. Additional issues include an XSS flaw in the Item history widget and an Oracle plugin injection vulnerability in Agent 2 that could expose sensitive database credentials. These weaknesses highlight risks of client-side script execution and backend data exposure in enterprise monitoring environments. CVE-2026-23926 with a CVSS score of 7.3 – It is an authenticated administrator can inject JavaScript into a maintenance period. The payload executes when any user opens the tooltip in the Host navigator widget, enabling unauthorized actions under the victim’s session context. CVE-2026-23928 with a CVSS score of 7.3 – It is an compromised or malicious monitored host can inject JavaScript into item history data. When an administrator views the data via the Plain text widget, the script executes in the browser, potentially allowing credential theft or session hijacking. CVE-2026-23927 with a CVSS score of 5.1 – It is an Improper sanitization of Oracle connection parameters allows injection of a malicious TNS string. This can force Agent 2 to connect to attacker-controlled systems, potentially leaking Oracle database credentials.[emaillocker id="1283"]
RECOMMENDATION:
We strongly recommend you update Zabbix to below version: CVE-2026-23926: https://support.zabbix.com/browse/ZBX-27758 CVE-2026-23928: https://support.zabbix.com/browse/ZBX-27760 CVE-2026-23927: https://support.zabbix.com/browse/ZBX-27759
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/zabbix-security-patches-xss-oracle-injection-cve-2026-23926/