Primary

Context

Zabbix Stored Cross-Site Scripting Vulnerability in Dashboard Widgets

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in Zabbix dashboard widgets. In Zabbix versions 7.0.0 to 7.0.23 and 7.4.0 to 7.4.7, the Item history widget can execute injected JavaScript when HTML display is enabled. In Zabbix 6.0, a similar issue exists in the Plain text widget. This vulnerability allows an attacker to perform unauthorized actions based on the user viewing the dashboard. The malicious JavaScript must originate from a monitored host controlled by the attacker.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the dashboard.

Remediation

Users can update to Zabbix 6.0.45, 7.0.24, or 7.4.8, depending on their current version. Alternatively, they can disable HTML display in the affected widgets or turn off the widgets entirely in the Zabbix administration panel.

Added: May 6, 2026, 8:29 AM

Updated: May 6, 2026, 8:29 AM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

1.7

exploitability

6.0

remediation

8.3

relevance

7.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

1.7

exploitability

6.0

remediation

8.3

relevance

7.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zabbix Stored Cross-Site Scripting Vulnerability in Dashboard Widgets

Vulnerability

Impact

Remediation

Affected Products

Zabbix

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating