CVE Daily
← All tags

Tag: Zabbix

All CVEs associated with "Zabbix". Page 1/1 • 94 CVEs.

About “Zabbix”

A curated feed of “Zabbix”-related CVEs appears below. We currently track 94 CVEs for this tag (all time). In the last 365 days, 16 were published. Average CVSS is 6.4 (all time; 6.1 over 365d), and 46% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-863 - Incorrect Authorization, CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

In our taxonomy this topic maps to a LOW impact class. Logging and monitoring stacks may expose dashboards or collectors. Patch services, enforce auth and TLS, restrict admin endpoints, rotate tokens, and review data retention. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: zabbix

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestPremier SupportEOLLTS
7.47.4.11Unavailable Soon
7.27.2.15 Expired
7.07.0.27LTS
6.46.4.21 Expired
6.26.2.9 Expired
6.06.0.46LTS
5.45.4.12 Expired
5.05.0.47 ExpiredLTS
4.04.0.50 ExpiredLTS

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Zabbix”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-06
High

CVE-2026-23928

The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized acti…

CVSS: 7.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-03-24
Medium

CVE-2026-23924

Zabbix Agent 2 Docker plugin does not properly sanitize the 'docker.container_info' parameters when forwarding them to the Docker daemon. An attacker capable of invoking Agent 2 can read arbitrary fi…

CVSS: 6.1 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
High

CVE-2026-23921

A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Althou…

CVSS: 8.7 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2026-23919

For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-…

CVSS: 7.1 CWE: CWE-488 - Exposure of Data Element to Wrong Session View on NVD
2026-03-06
Medium

CVE-2026-23925

An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorize…

CVSS: 5.1 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-12-01
Medium

CVE-2025-49643

An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of ser…

CVSS: 6.5 CWE: CWE-405 - Asymmetric Resource Consumption (Amplification) View on NVD
Medium

CVE-2025-49642

Library loading on AIX Zabbix Agent builds can be hijacked by local users with write access to the /home/cecuser directory.

CVSS: 5.9 CWE: CWE-426 - Untrusted Search Path View on NVD
Medium

CVE-2025-27232

An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss.

CVSS: 4.9 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2025-10-03
Medium

CVE-2025-49641

A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems.

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2025-27237

In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation…

CVSS: 7.3 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
Medium

CVE-2025-27236

A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not hav…

CVSS: 6.5 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-09-19
Medium

CVE-2025-10630

Grafana is an open-source platform for monitoring and observability. Grafana-Zabbix is a plugin for Grafana allowing to visualize monitoring data from Zabbix and create dashboards for analyzing metri…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
2025-09-12
High

CVE-2025-27240

A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field.

CVSS: 7.2 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Low

CVE-2025-27238

Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user groups assigned to them.

CVSS: 3.5 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2025-27234

Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. In Zabbix 5.0 this allows for remot…

CVSS: 7.3 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-27233

Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. This can be used to leak the NTLMv2…

CVSS: 5.7 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2025-04-02
Medium

CVE-2024-45700

Zabbix server is vulnerable to a DoS vulnerability due to uncontrolled resource exhaustion. An attacker can send specially crafted requests to the server, which will cause the server to allocate an e…

CVSS: 6.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
Medium

CVE-2024-45699

The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross-Site Scripting vulnerability via the backurl parameter. This is caused by the reflection of user-supplied data without appropriat…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2024-42325

Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc.

CVSS: 3.5 CWE: CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor View on NVD
High

CVE-2024-36465

A low privilege (regular) Zabbix user with API access can use SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL commands via the groupBy parameter.

CVSS: 8.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2024-11-27
Low

CVE-2024-42333

The researcher is showing that it is possible to leak a small amount of Zabbix Server memory using an out of bounds read in src/libs/zbxmedia/email.c

CVSS: 2.7 CWE: CWE-126 - Buffer Over-read View on NVD
Low

CVE-2024-42332

The researcher is showing that due to the way the SNMP trap log is parsed, an attacker can craft an SNMP trap with additional lines of information and have forged data show in the Zabbix UI. This att…

CVSS: 3.7 CWE: CWE-116 - Improper Encoding or Escaping of Output View on NVD
Critical

CVE-2024-42327

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRe…

CVSS: 9.9 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Low

CVE-2024-36468

The reported vulnerability is a stack buffer overflow in the zbx_snmp_cache_handle_engineid function within the Zabbix server/proxy code. This issue occurs when copying data from session->securityEng…

CVSS: 3.0 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
High

CVE-2024-36467

An authenticated user with API access (e.g.: user with default User role), more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group (e.…

CVSS: 7.5 CWE: CWE-285 - Improper Authorization View on NVD
2024-11-26
Medium

CVE-2024-36463

The implementation of atob in "Zabbix JS" allows to create a string with arbitrary content and use it to access internal properties of objects.

CVSS: 6.5 CWE: CWE-767 - Access to Critical Private Variable via Public Method View on NVD
2024-08-12
Critical

CVE-2024-36461

Within Zabbix, users have the ability to directly modify memory pointers in the JavaScript engine.

CVSS: 9.1 CWE: CWE-822 - Untrusted Pointer Dereference View on NVD
Low

CVE-2024-22123

Setting SMS media allows to set GSM modem file. Later this file is used as Linux device. But due everything is a file for Linux, it is possible to set another file, e.g. log file and zabbix_server wi…

CVSS: 2.7 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Low

CVE-2024-22122

Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test o…

CVSS: 3.0 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Medium

CVE-2024-22121

A non-admin user can change or remove important features within the Zabbix Agent application, thus impacting the integrity and availability of the application.

CVSS: 6.1 CWE: CWE-281 - Improper Preservation of Permissions View on NVD
2024-05-17
Critical

CVE-2024-22120

Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injecti…

CVSS: 9.1 CWE: CWE-20 - Improper Input Validation View on NVD
2023-12-18
Medium

CVE-2023-32728

The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution.

CVSS: 4.6 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2023-32727

An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server.

CVSS: 6.8 CWE: CWE-20 - Improper Input Validation View on NVD
2023-10-12
Critical

CVE-2023-32722

The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow when parsing JSON files via zbx_json_open.

CVSS: 9.6 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
High

CVE-2023-32721

A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL.

CVSS: 7.6 CWE: CWE-20 - Improper Input Validation View on NVD
2023-07-13
Medium

CVE-2023-29451

Specially crafted string can cause a buffer overrun in the JSON parser library leading to a crash of the Zabbix Server or a Zabbix Proxy.

CVSS: 4.7 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2023-29450

JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unau…

CVSS: 8.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2022-12-15
Medium

CVE-2022-46768

Arbitrary file read vulnerability exists in Zabbix Web Service Report Generation, which listens on the port 10053. The service does not have proper validation for URL parameters before reading the fi…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD
2022-12-05
Medium

CVE-2022-43516

A Firewall Rule which allows all incoming TCP connections to all programs from any source and to all ports is created in Windows Firewall after Zabbix agent installation (MSI)

CVSS: 6.5 CWE: CWE-16 View on NVD
Medium

CVE-2022-43515

Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix…

CVSS: 5.3 CWE: CWE-20 - Improper Input Validation View on NVD
2022-09-14
Medium

CVE-2022-40626

An unauthenticated user can create a link with reflected Javascript code inside the backurl parameter and send it to other authenticated users in order to create a fake account with predefined login,…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2022-03-21
Critical

CVE-2022-26148

An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to r…

CVSS: 9.8 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2022-03-09
Medium

CVE-2022-24349

An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and ca…

CVSS: 4.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2022-01-27
High

CVE-2021-46088

Zabbix 4.0 LTS, 4.2, 4.4, and 5.0 LTS is vulnerable to Remote Code Execution (RCE). Any user with the "Zabbix Admin" role is able to run custom shell script on the application server in the context o…

CVSS: 7.2 CWE: N/A View on NVD
2022-01-13
Low

CVE-2022-23134

After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentiall…

CVSS: 3.7 CWE: CWE-284 - Improper Access Control View on NVD
Low

CVE-2022-23132

During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, wr…

CVSS: 3.3 CWE: CWE-284 - Improper Access Control View on NVD
Critical

CVE-2022-23131

In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Ma…

CVSS: 9.1 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2022-01-06
Critical

CVE-2022-22704

The zabbix-agent2 package before 5.4.9-r1 for Alpine Linux sometimes allows privilege escalation to root because the design incorrectly expected that systemd would (in effect) determine part of the c…

CVSS: 9.8 CWE: CWE-909 - Missing Initialization of Resource View on NVD
2021-03-03
High

CVE-2021-27927

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection m…

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2020-10-07
Critical

CVE-2020-11800

Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code.

CVSS: 9.8 CWE: N/A View on NVD
2020-07-17
Medium

CVE-2020-15803

Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-02-17
Critical

CVE-2013-3738

A File Inclusion vulnerability exists in Zabbix 2.0.6 due to inadequate sanitization of request strings in CGI scripts, which could let a remote malicious user execute arbitrary code.

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
2020-02-07
High

CVE-2013-3628

Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability

CVSS: 8.8 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2019-12-11
Critical

CVE-2013-5743

Multiple SQL injection vulnerabilities in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.9rc1, and 2.1.x before 2.1.7.

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2019-11-30
High

CVE-2013-7484

Zabbix before 5.0 represents passwords in the users table with unsalted MD5.

CVSS: 7.5 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2019-10-09
Critical

CVE-2019-17382

An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Repo…

CVSS: 9.1 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2019-08-17
Medium

CVE-2019-15132

Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or passw…

CVSS: 5.3 CWE: CWE-203 - Observable Discrepancy View on NVD
2019-02-17
Medium

CVE-2016-10742

Zabbix before 2.2.21rc1, 3.x before 3.0.13rc1, 3.1.x and 3.2.x before 3.2.10rc1, and 3.3.x and 3.4.x before 3.4.4rc1 allows open redirect via the request parameter.

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2018-10-14
High

CVE-2018-18289

The MESILAT Zabbix plugin before 1.1.15 for Atlassian Confluence allows attackers to read arbitrary files.

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2018-04-20
High

CVE-2017-2825

In the trapper functionality of Zabbix Server 2.4.x, specifically crafted trapper packets can pass database logic checks, resulting in database writes. An attacker can set up a Man-in-the-Middle serv…

CVSS: 7.0 CWE: N/A View on NVD
2018-04-09
Low

CVE-2017-2826

An information disclosure vulnerability exists in the iConfig proxy request of Zabbix server 2.4.X. A specially crafted iConfig proxy request can cause the Zabbix server to send the configuration inf…

CVSS: 3.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2018-02-01
Critical

CVE-2014-3005

XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or pote…

CVSS: 9.8 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2017-05-24
High

CVE-2017-2824

An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote co…

CVSS: 8.1 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2017-02-17
Critical

CVE-2016-10134

SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php.

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2017-01-23
High

CVE-2016-4338

The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, all…

CVSS: 8.1 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2015-01-02
High

CVE-2014-9450

Multiple SQL injection vulnerabilities in chart_bar.php in the frontend in Zabbix before 1.8.22, 2.0.x before 2.0.14, and 2.2.x before 2.2.8 allow remote attackers to execute arbitrary SQL commands v…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2014-07-22
High

CVE-2014-4326

Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

CVSS: 7.5 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2014-05-08
Medium

CVE-2014-1685

The Frontend in Zabbix before 1.8.20rc2, 2.0.x before 2.0.11rc2, and 2.2.x before 2.2.2rc1 allows remote "Zabbix Admin" users to modify the media of arbitrary users via unspecified vectors.

CVSS: 5.5 CWE: N/A View on NVD
Medium

CVE-2014-1682

The API in Zabbix before 1.8.20rc1, 2.0.x before 2.0.11rc1, and 2.2.x before 2.2.2rc1 allows remote authenticated users to spoof arbitrary users via the user name in a user.login request.

CVSS: 4.0 CWE: CWE-287 - Improper Authentication View on NVD
2014-01-29
Medium

CVE-2012-6086

libs/zbxmedia/eztexting.c in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.8rc1, and 2.1.x before 2.1.2 does not properly set the CURLOPT_SSL_VERIFYHOST option for libcurl, which allows man-in-the-…

CVSS: 4.3 CWE: CWE-310 View on NVD
2013-12-19
High

CVE-2013-6824

Zabbix before 1.8.19rc1, 2.0 before 2.0.10rc1, and 2.2 before 2.2.1rc1 allows remote Zabbix servers and proxies to execute arbitrary commands via a newline in a flexible user parameter.

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2013-12-14
Medium

CVE-2013-1364

The user.login function in Zabbix before 1.8.16 and 2.x before 2.0.5rc1 allows remote attackers to override LDAP configuration via the cnf parameter.

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
2013-10-01
Low

CVE-2013-5572

Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code.

CVSS: 3.5 CWE: CWE-264 View on NVD
2012-08-15
High

CVE-2012-3435

SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid paramet…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2011-12-29
Medium

CVE-2011-5027

Cross-site scripting (XSS) vulnerability in ZABBIX before 1.8.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the profiler.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2011-4615

Multiple cross-site scripting (XSS) vulnerabilities in Zabbix before 1.8.10 allow remote attackers to inject arbitrary web script or HTML via the gname parameter (aka host groups name) to (1) hostgro…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2011-12-02
High

CVE-2011-4674

SQL injection vulnerability in popup.php in Zabbix 1.8.3 and 1.8.4, and possibly other versions before 1.8.9, allows remote attackers to execute arbitrary SQL commands via the only_hostid parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2011-11-23
High

CVE-2010-5049

SQL injection vulnerability in events.php in Zabbix 1.8.1 and earlier allows remote attackers to execute arbitrary SQL commands via the nav_time parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2011-08-19
Medium

CVE-2011-3265

popup.php in Zabbix before 1.8.7 allows remote attackers to read the contents of arbitrary database tables via a modified srctbl parameter.

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2011-3264

Zabbix before 1.8.6 allows remote attackers to obtain sensitive information via an invalid srcfld2 parameter to popup.php, which reveals the installation path in an error message.

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2011-3263

zabbix_agentd in Zabbix before 1.8.6 and 1.9.x before 1.9.4 allows context-dependent attackers to cause a denial of service (CPU consumption) by executing the vfs.file.cksum command for a special dev…

CVSS: 5.0 CWE: CWE-399 View on NVD
Medium

CVE-2011-2904

Cross-site scripting (XSS) vulnerability in acknow.php in Zabbix before 1.8.6 allows remote attackers to inject arbitrary web script or HTML via the backurl parameter.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2010-08-05
Medium

CVE-2010-2790

Multiple cross-site scripting (XSS) vulnerabilities in the formatQuery function in frontends/php/include/classes/class.curl.php in Zabbix before 1.8.3rc1 allow remote attackers to inject arbitrary we…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2010-04-06
High

CVE-2010-1277

SQL injection vulnerability in the user.authenticate method in the API in Zabbix 1.8 before 1.8.2 allows remote attackers to execute arbitrary SQL commands via the user parameter in JSON data to api_…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2009-12-31
Critical

CVE-2009-4502

The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary command…

CVSS: 9.3 CWE: CWE-264 View on NVD
Medium

CVE-2009-4501

The zbx_get_next_field function in libs/zbxcommon/str.c in Zabbix Server before 1.6.8 allows remote attackers to cause a denial of service (crash) via a request that lacks expected separators, which…

CVSS: 5.0 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
Medium

CVE-2009-4500

The process_trap function in trapper/trapper.c in Zabbix Server before 1.6.6 allows remote attackers to cause a denial of service (crash) via a crafted request with data that lacks an expected : (col…

CVSS: 5.0 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
High

CVE-2009-4499

SQL injection vulnerability in the get_history_lastid function in the nodewatcher component in Zabbix Server before 1.6.8 allows remote attackers to execute arbitrary SQL commands via a crafted reque…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2009-4498

The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request.

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2008-03-17
Medium

CVE-2008-1353

zabbix_agentd in ZABBIX 1.4.4 allows remote attackers to cause a denial of service (CPU and connection consumption) via multiple vfs.file.cksum commands with a special device node such as /dev/urando…

CVSS: 4.3 CWE: N/A View on NVD
2007-12-04
Low

CVE-2007-6210

zabbix_agentd 1.1.4 in ZABBIX before 1.4.3 runs "UserParameter" scripts with gid 0, which might allow local users to gain privileges.

CVSS: 2.1 CWE: CWE-16 View on NVD
2007-01-31
Critical

CVE-2007-0640

Buffer overflow in ZABBIX before 1.1.5 has unknown impact and attack vectors related to "SNMP IP addresses."

CVSS: 10.0 CWE: N/A View on NVD
2006-12-21
High

CVE-2006-6692

Multiple format string vulnerabilities in zabbix before 20061006 allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in i…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-6693

Multiple buffer overflows in zabbix before 20061006 allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code via long strings to the (1) zabbix_log and (2)…

CVSS: 7.5 CWE: N/A View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox