CVE-2026-23923 — Unsafe Reflection in Zabbix

CWE-470 — Unsafe Reflection5 documents5 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 77.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix

Timeline

PublishedMar 24

Description

An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages1 packages

▶CVEListV5zabbix/zabbix7.4.0 — 7.4.6

🔴Vulnerability Details

CVEList

Unauthenticated arbitrary PHP class instantiation↗2026-03-24

▶

GHSA

GHSA-4mp5-p9jh-3rv5: An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes↗2026-03-24

▶

📋Vendor Advisories

Debian

CVE-2026-23923: zabbix - An unauthenticated attacker can exploit the Frontend 'validate' action to blindl...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-23923 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶