SQL Injection in Zabbix

CVE-2026-23921

A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned direct…

Vulnerability class: SQL Injection

EPSS: 0.000 (14.1th percentile) — read the EPSS interpretation.