CVE-2026-23920

Host and event action script regex validation can be bypassed in certain situations, leading to potential command injection

Description

Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.

INFO

Published Date :

2026-03-24T18:27:52.882Z

Last Modified :

2026-03-26T03:55:29.372Z

Source :

Zabbix

AFFECTED PRODUCTS

The following products are affected by CVE-2026-23920 vulnerability.

Vendors	Products
Zabbix	Zabbix

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-23920.

URL	Resource
https://support.zabbix.com/browse/ZBX-27639

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability