CVE-2026-23923

EUVD-2026-14956
An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.
Unsafe Reflection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.9 MEDIUM
NETWORK
LOW
NONE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
zabbixzabbix
7.4.0 ≤
𝑥
≤ 7.4.6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://support.zabbix.com/browse/ZBX-27641