Primary

Context

Zabbix Stored Cross-Site Scripting Vulnerability in Host Navigator Widget Maintenance Tooltip

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in Zabbix versions 7.0.0 through 7.0.23 and 7.4.0 through 7.4.7. This vulnerability allows an authenticated (non-super) administrator to create a maintenance period containing a JavaScript payload. When any user opens the tooltip for that maintenance period in the Host navigator widget, the payload is executed. This could enable the attacker to perform unauthorized actions, depending on the user who opens the tooltip.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the maintenance tooltip.

Remediation

Users can update to Zabbix version 7.0.24 or 7.4.8, depending on their current version. Alternatively, the Host navigator widget can be disabled via the Administration -> General -> Modules menu.

Added: May 6, 2026, 8:32 AM

Updated: May 6, 2026, 8:32 AM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

1.7

exploitability

5.0

remediation

8.3

relevance

7.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

1.7

exploitability

5.0

remediation

8.3

relevance

7.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zabbix Stored Cross-Site Scripting Vulnerability in Host Navigator Widget Maintenance Tooltip

Vulnerability

Impact

Remediation

Affected Products

Zabbix

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating