CVE-2026-23921
Vulnerability Description
A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.
Vulnerability Details
Published Date
Last Modified
CWE ID
CWE-89
Source
NVD
Vendor
Zabbix
Product
Zabbix
Discussion (0)
Add Comment
No comments yet. Be the first!