Vulnerability in Zabbix

CVE-2026-23923

An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.

EPSS: 0.001 (28.9th percentile) — read the EPSS interpretation.

Affected products

Zabbix — versions 7.4.0

Weakness classification (CWE)

CWE-470 — Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)

References

support.zabbix.com/browse/ZBX-27641