Zabbix
Easy fix4 remedies
cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*
Easy fix4 remedies
- >= 7.0.0, <= 7.0.21
- >= 7.2.0, <= 7.2.14
- >= 7.4.0, <= 7.4.5
Zabbix Command Injection Vulnerability via Regex Validation Bypass
Vulnerability
Patched
A command injection vulnerability has been identified in Zabbix's host and event action script input validation. The validation, which is controlled by the administrator through regex, operates in multiline mode. This allows authenticated users to inject newlines, bypassing the regex anchors and injecting shell commands. This issue affects Zabbix versions 7.0.0 to 7.0.21, 7.2.0 to 7.2.14, and 7.4.0 to 7.4.5.
Impact
Exploitation of this vulnerability allows for command injection, where an authenticated user can execute arbitrary shell commands on the server or proxy where Zabbix is running.
Remediation
Users can update to Zabbix version 7.0.22, 7.2.15, or 7.4.6, depending on their current version. Additionally, as a temporary workaround, regex validations can be adjusted to use \A and \z anchors instead of ^ and $.
Added: Mar 24, 2026, 7:46 PM
Updated: Mar 24, 2026, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
6.2impact
10.0exploitability
5.2remediation
8.3relevance
4.6threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.