CVE-2025-27236 User information disclosure via api_jsonrpc.php on method user.get with param search

A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to...

CVE-2024-42325 Excessive information returned by user.get

Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc...