CVE-2026-23926 HIGH

CVE-2026-23926: Stored XSS vulnerability in Host navigator widget maintenance tooltip

Vendor Zabbix
Product Zabbix
Weakness CWE-79 · XSS
Published May 6, 2026
Last update May 7, 2026

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip.

Key dates

02Disclosure timeline

May 6, 2026 CVE published
May 7, 2026 Record updated

Related vulnerabilities

04Related CVE