4 matches found
CVE-2026-23921
CVE-2026-23921 concerns a blind SQL injection in Zabbix’s API layer. A low-privilege Zabbix user with API access can target include/classes/api/CApiService.php via the sortfield parameter to perform arbitrary SQL selects. While results are not returned directly, an attacker can exfiltrate data th...
CVE-2025-27238 API hostprototype.get lists data to users with insufficient authorization.
Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user groups assigned to them...
UBUNTU-CVE-2024-36465
A low privilege regular Zabbix user with API access can use SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL commands via the groupBy parameter...
UBUNTU-CVE-2023-32721
A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL...