CVE-2026-23923 MEDIUM

CVE-2026-23923: Unauthenticated arbitrary PHP class instantiation

Vendor Zabbix

Product Zabbix

Weakness CWE-470

Published March 24, 2026

Last update March 25, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

Description

An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.

Key dates

Disclosure timeline

March 24, 2026 CVE published

March 25, 2026 Record updated