{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23920", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "state": "PUBLISHED", "assignerShortName": "Zabbix", "dateReserved": "2026-01-19T14:02:54.327Z", "datePublished": "2026-03-24T18:27:52.882Z", "dateUpdated": "2026-03-26T03:55:29.372Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2026-03-24T18:27:52.882Z"}, "title": "Host and event action script regex validation can be bypassed in certain situations, leading to potential command injection", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78 CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88: OS Command Injection"}]}], "affected": [{"vendor": "Zabbix", "product": "Zabbix", "repo": "https://git.zabbix.com/", "modules": ["Server", "Proxy"], "versions": [{"status": "affected", "version": "7.0.0", "lessThanOrEqual": "7.0.21", "changes": [{"at": "7.0.22", "status": "unaffected"}], "versionType": "git"}, {"status": "affected", "version": "7.2.0", "lessThanOrEqual": "7.2.14", "changes": [{"at": "7.2.15", "status": "unaffected"}], "versionType": "git"}, {"status": "affected", "version": "7.4.0", "lessThanOrEqual": "7.4.5", "changes": [{"at": "7.4.6", "status": "unaffected"}], "versionType": "git"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.</p>"}]}], "references": [{"url": "https://support.zabbix.com/browse/ZBX-27639"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "configurations": [{"lang": "en", "value": "Authenticated users with script execution permissions can bypass ^ and $ regex validation by injecting a newline character.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Authenticated users with script execution permissions can bypass ^ and $ regex validation by injecting a newline character.</p>"}]}], "workarounds": [{"lang": "en", "value": "It is possible to use \\A and \\z anchors in the regex validation as a workaround.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>It is possible to use \\A and \\z anchors in the regex validation as a workaround.</p>"}]}], "solutions": [{"lang": "en", "value": "Update the affected components to their respective fixed versions.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Update the affected components to their respective fixed versions.</p>"}]}], "credits": [{"lang": "en", "value": "Zabbix wants to thank YoKo Kho (@YoKoAcc) from PT ITSEC Asia, Tbk for submitting this report on the HackerOne bug bounty platform.", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-23920"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T03:55:29.372Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23920", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T19:24:03.625179Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:24:08.184Z"}}], "cna": {"title": "Host and event action script regex validation can be bypassed in certain situations, leading to potential command injection", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Zabbix wants to thank YoKo Kho (@YoKoAcc) from PT ITSEC Asia, Tbk for submitting this report on the HackerOne bug bounty platform."}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88: OS Command Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://git.zabbix.com/", "vendor": "Zabbix", "modules": ["Server", "Proxy"], "product": "Zabbix", "versions": [{"status": "affected", "changes": [{"at": "7.0.22", "status": "unaffected"}], "version": "7.0.0", "versionType": "git", "lessThanOrEqual": "7.0.21"}, {"status": "affected", "changes": [{"at": "7.2.15", "status": "unaffected"}], "version": "7.2.0", "versionType": "git", "lessThanOrEqual": "7.2.14"}, {"status": "affected", "changes": [{"at": "7.4.6", "status": "unaffected"}], "version": "7.4.0", "versionType": "git", "lessThanOrEqual": "7.4.5"}], "defaultStatus": "unknown"}], "solutions": [{"lang": "en", "value": "Update the affected components to their respective fixed versions.", "supportingMedia": [{"type": "text/html", "value": "<p>Update the affected components to their respective fixed versions.</p>", "base64": false}]}], "references": [{"url": "https://support.zabbix.com/browse/ZBX-27639"}], "workarounds": [{"lang": "en", "value": "It is possible to use \\A and \\z anchors in the regex validation as a workaround.", "supportingMedia": [{"type": "text/html", "value": "<p>It is possible to use \\A and \\z anchors in the regex validation as a workaround.</p>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.", "supportingMedia": [{"type": "text/html", "value": "<p>Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "configurations": [{"lang": "en", "value": "Authenticated users with script execution permissions can bypass ^ and $ regex validation by injecting a newline character.", "supportingMedia": [{"type": "text/html", "value": "<p>Authenticated users with script execution permissions can bypass ^ and $ regex validation by injecting a newline character.</p>", "base64": false}]}], "providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2026-03-24T18:27:52.882Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23920", "state": "PUBLISHED", "dateUpdated": "2026-03-26T03:55:29.372Z", "dateReserved": "2026-01-19T14:02:54.327Z", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "datePublished": "2026-03-24T18:27:52.882Z", "assignerShortName": "Zabbix"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands."}], "id": "CVE-2026-23920", "lastModified": "2026-03-25T15:41:58.280", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@zabbix.com", "type": "Secondary"}]}, "published": "2026-03-24T19:16:49.557", "references": [{"source": "security@zabbix.com", "url": "https://support.zabbix.com/browse/ZBX-27639"}], "sourceIdentifier": "security@zabbix.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@zabbix.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.0.21]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "7.0.22"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.2.0,7.2.14]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "7.2.15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.4.0,7.4.5]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "7.4.6"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Zabbix", "source": "cna", "vendor": "Zabbix"}, "product": "zabbix", "vendor": "zabbix"}], "analysis": {"en": {"generated_at": "2026-03-24T20:26:08.282929+00:00", "value": {"mitigation_remediation": ["Update all Zabbix components to the fixed versions disclosed by the vendor", "If immediate patching is not possible, modify the script validation regex to use \\A and \\z anchors instead of ^ and $", "Limit the permissions of users who can configure host or event action scripts to reduce the attack surface", "After applying a patch or workaround, verify that the regex validation now rejects inputs containing newlines"], "summary": {"action": "Immediate Patch", "impact": "Command Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Zabbix products. Specific component names and version ranges are not listed in the advisory, so all installations that allow host or event scripts configured with a regex validator are potentially exposed until a patch is applied.", "description_and_impact": "Zabbix host and event action scripts are filtered by a user\u2011defined regular expression but the pattern is evaluated in multiline mode. An attacker who can set a script can insert a newline, causing the ^ and $ anchors to apply only to the first line and allowing crafted input to bypass validation. The result is that arbitrary shell commands are executed with the privileges of the Zabbix server, posing a risk of data theft, system compromise, or denial of service. The weakness is a classic command injection flaw (CWE\u201178).", "risk_and_exploitability": "The CVSS score is 7.7, indicating high severity. No EPSS score is available, and the issue is not included in CISA's KEV catalog. Exploitation requires an authenticated user with permission to configure host or event scripts, so the attack vector is internal rather than remote. Because the vulnerability is not publicly exposed for arbitrary users, the likelihood of wide\u2011scale exploitation is lower, but the impact remains significant for compromised accounts."}}}}, "created": "2026-03-25T11:46:38.135186+00:00", "updated": "2026-03-25T20:49:22.939316+00:00", "vendors": ["zabbix", "zabbix$PRODUCT$zabbix"]}