CVE-2026-23923

EUVD-2026-14956
An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.
Unsafe Reflection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
ZabbixCNA
6.9 MEDIUM
NETWORK
LOW
NONE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 28%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
zabbixzabbix
7.4.0 ≤
𝑥
≤ 7.4.6
CNA
Common Weakness Enumeration
References
https://support.zabbix.com/browse/ZBX-27641