Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-10134 — SQL Injection in Zabbix

CWE-89 — SQL Injection9 documents8 sources

Severity

9.8CRITICALNVD

EPSS

86.2%

top 0.59%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zabbix Debian Zabbix

Timeline

PublishedFeb 17

Latest updateJun 15

Description

SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/zabbix< zabbix 1:3.0.4+dfsg-1 (bookworm)

▶Debianzabbix/zabbix< 1:3.0.4+dfsg-1+3

▶Ubuntuzabbix/zabbix< 1:2.2.2+dfsg-1ubuntu1+esm4+3

▶NVDzabbix/zabbix2.2.13+4

Patches

Patch: support.zabbix.com ↗Patch: support.zabbix.com ↗

🔴Vulnerability Details

OSV

zabbix vulnerabilities↗2022-06-15

▶

GHSA

GHSA-q33m-pmcq-844x: SQL injection vulnerability in Zabbix before 2↗2022-05-17

▶

OSV

CVE-2016-10134: SQL injection vulnerability in Zabbix before 2↗2017-02-17

▶

💥Exploits & PoCs

Nuclei

Zabbix - SQL Injection

▶

Metasploit

Zabbix toggle_ids SQL Injection↗

▶

📋Vendor Advisories

Ubuntu

Zabbix vulnerabilities↗2022-06-15

▶

Debian

CVE-2016-10134: zabbix - SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows ...↗2016

▶

🕵️Threat Intelligence

Greynoiseio

NoiseLetter September 2025↗

▶