{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23923", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "state": "PUBLISHED", "assignerShortName": "Zabbix", "dateReserved": "2026-01-19T14:02:54.327Z", "datePublished": "2026-03-24T18:29:23.165Z", "dateUpdated": "2026-03-25T19:25:01.128Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2026-03-24T18:29:23.165Z"}, "title": "Unauthenticated arbitrary PHP class instantiation", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-470", "description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-138", "descriptions": [{"lang": "en", "value": "CAPEC-138: Reflection Injection"}]}], "affected": [{"vendor": "Zabbix", "product": "Zabbix", "repo": "https://git.zabbix.com/", "modules": ["Frontend"], "versions": [{"status": "affected", "version": "7.4.0", "lessThanOrEqual": "7.4.6", "changes": [{"at": "7.4.7", "status": "unaffected"}], "versionType": "git"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.</p>"}]}], "references": [{"url": "https://support.zabbix.com/browse/ZBX-27641"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"}}], "configurations": [{"lang": "en", "value": "The action can be invoked by any user able to reach Frontend.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>The action can be invoked by any user able to reach Frontend.</p>"}]}], "solutions": [{"lang": "en", "value": "Update the affected components to their respective fixed versions.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Update the affected components to their respective fixed versions.</p>"}]}], "credits": [{"lang": "en", "value": "Zabbix wants to thank pitticus for submitting this report on the HackerOne bug bounty platform.", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:24:53.942052Z", "id": "CVE-2026-23923", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:25:01.128Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23923", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T19:24:53.942052Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:24:58.974Z"}}], "cna": {"title": "Unauthenticated arbitrary PHP class instantiation", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Zabbix wants to thank pitticus for submitting this report on the HackerOne bug bounty platform."}], "impacts": [{"capecId": "CAPEC-138", "descriptions": [{"lang": "en", "value": "CAPEC-138: Reflection Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://git.zabbix.com/", "vendor": "Zabbix", "modules": ["Frontend"], "product": "Zabbix", "versions": [{"status": "affected", "changes": [{"at": "7.4.7", "status": "unaffected"}], "version": "7.4.0", "versionType": "git", "lessThanOrEqual": "7.4.6"}], "defaultStatus": "unknown"}], "solutions": [{"lang": "en", "value": "Update the affected components to their respective fixed versions.", "supportingMedia": [{"type": "text/html", "value": "<p>Update the affected components to their respective fixed versions.</p>", "base64": false}]}], "references": [{"url": "https://support.zabbix.com/browse/ZBX-27641"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.", "supportingMedia": [{"type": "text/html", "value": "<p>An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-470", "description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')"}]}], "configurations": [{"lang": "en", "value": "The action can be invoked by any user able to reach Frontend.", "supportingMedia": [{"type": "text/html", "value": "<p>The action can be invoked by any user able to reach Frontend.</p>", "base64": false}]}], "providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2026-03-24T18:29:23.165Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23923", "state": "PUBLISHED", "dateUpdated": "2026-03-25T19:25:01.128Z", "dateReserved": "2026-01-19T14:02:54.327Z", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "datePublished": "2026-03-24T18:29:23.165Z", "assignerShortName": "Zabbix"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time."}], "id": "CVE-2026-23923", "lastModified": "2026-03-25T15:41:58.280", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@zabbix.com", "type": "Secondary"}]}, "published": "2026-03-24T19:16:50.740", "references": [{"source": "security@zabbix.com", "url": "https://support.zabbix.com/browse/ZBX-27641"}], "sourceIdentifier": "security@zabbix.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-470"}], "source": "security@zabbix.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.4.0,7.4.6]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.4.7,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Zabbix", "source": "cna", "vendor": "Zabbix"}, "product": "zabbix", "vendor": "zabbix"}], "analysis": {"en": {"generated_at": "2026-03-24T20:51:52.741274+00:00", "value": {"mitigation_remediation": ["Update Zabbix components to the fixed versions released by the vendor.", "If a patch is not immediately available, disable or restrict the Frontend \u201cvalidate\u201d action via web server configuration or firewall rules.", "Apply network segmentation to limit who can reach the Zabbix web interface.", "Monitor frontend logs for unexpected class instantiation attempts and set up alerts for suspicious activity."], "summary": {"action": "Apply Patch", "impact": "Possible Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All Zabbix installations that expose the frontend validate endpoint before the fix are affected. The specific product and version ranges are not listed in the advisory, so any Zabbix software released prior to the official patch could be vulnerable. Administrators should verify the presence of the validate action and consider disabling it if the software version is unknown.", "description_and_impact": "The vulnerability allows an unauthenticated attacker to cause the Zabbix Frontend process to instantiate arbitrary PHP classes by using the \u201cvalidate\u201d action. This flaw effectively allows code to be executed with the privileges of the web application. The extent of impact depends on the server configuration, but the ability to load arbitrary classes can lead to remote code execution, privileged escape or data exfiltration in some environments.", "risk_and_exploitability": "The CVSS score of 6.9 places the vulnerability in the Medium severity range. EPSS data is not available, and it is not yet listed in the CISA KEV catalog. The flaw can be exploited without authentication by sending a request to the validate action. Because the attack vector is a network-accessible web endpoint, the risk is broad and the exploitation requirement is minimal."}}}}, "created": "2026-03-25T11:46:35.291070+00:00", "updated": "2026-03-25T21:27:45.666769+00:00", "vendors": ["zabbix", "zabbix$PRODUCT$zabbix"]}