CVE-2026-23920 — OS Command Injection in Zabbix

CWE-78 — OS Command Injection7 documents6 sources

Severity

7.7HIGHNVD

EPSS

0.1%

top 83.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix

Timeline

PublishedMar 24

Latest updateApr 6

Description

Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶Debianzabbix/zabbix< 1:7.0.22+dfsg-1~deb13u1+1

▶CVEListV5zabbix/zabbix7.0.0 — 7.0.21+2

🔴Vulnerability Details

OSV

CVE-2026-23920: (Host and event action script input is validated with a regex (set by t↗2026-04-06

▶

CVEList

Host and event action script regex validation can be bypassed in certain situations, leading to potential command injection↗2026-03-24

▶

GHSA

GHSA-2h5x-h7x4-hm9h: Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode↗2026-03-24

▶

OSV

CVE-2026-23920: Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode↗2026-03-24

▶

📋Vendor Advisories

Debian

CVE-2026-23920: zabbix - Host and event action script input is validated with a regex (set by the adminis...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-23920 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶