Search for packages
| purl | pkg:deb/debian/zabbix@0?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-32c6-6w9k-k3c1 | When the webdriver for the Browser object downloads data from a HTTP server, the data pointer is set to NULL and is allocated only in curl_write_cb when receiving data. If the server's response is an empty document, then wd->data in the code below will remain NULL and an attempt to read from it will result in a crash. |
CVE-2024-42328
|
| VCID-3ha2-her6-jkfe | An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time. |
CVE-2026-23923
|
| VCID-5t3e-bfve-d3he | The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution. |
CVE-2023-32728
|
| VCID-76qf-8jm4-8kct | Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection. |
CVE-2024-22120
|
| VCID-8yyv-6phn-tkaq | The webdriver for the Browser object expects an error object to be initialized when the webdriver_session_query function fails. But this function can fail for various reasons without an error description and then the wd->error will be NULL and trying to read from it will result in a crash. |
CVE-2024-42329
|
| VCID-9jfn-6nvg-a3b6 | A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access. |
CVE-2024-42327
|
| VCID-a13m-gsde-jyf3 | An unauthenticated user can create a link with reflected Javascript code inside the backurl parameter and send it to other authenticated users in order to create a fake account with predefined login, password and role in Zabbix Frontend. |
CVE-2022-40626
|
| VCID-b6xv-kz4p-k3em | There was discovered a use after free bug in browser.c in the es_browser_get_variant function |
CVE-2024-42326
|
| VCID-dfwk-raex-fqfy | Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user groups assigned to them. |
CVE-2025-27238
|
| VCID-f797-yxay-bffg | After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend. |
CVE-2022-23134
|
| VCID-fqc6-4dcw-tbcm | Arbitrary file read vulnerability exists in Zabbix Web Service Report Generation, which listens on the port 10053. The service does not have proper validation for URL parameters before reading the files. |
CVE-2022-46768
|
| VCID-gguu-hkn6-gfbk | A Firewall Rule which allows all incoming TCP connections to all programs from any source and to all ports is created in Windows Firewall after Zabbix agent installation (MSI) |
CVE-2022-43516
|
| VCID-gyqk-zsww-ykdj | Specially crafted string can cause a buffer overrun in the JSON parser library leading to a crash of the Zabbix Server or a Zabbix Proxy. |
CVE-2023-29451
|
| VCID-hfam-an1b-u7e3 | A low privilege (regular) Zabbix user with API access can use SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL commands via the groupBy parameter. |
CVE-2024-36465
|
| VCID-hgbt-8rz5-q3a9 | Uncontrolled resource consumption refers to a software vulnerability where a attacker or system uses excessive resources, such as CPU, memory, or network bandwidth, without proper limitations or controls. This can cause a denial-of-service (DoS) attack or degrade the performance of the affected system. |
CVE-2024-36462
|
| VCID-n5md-76wa-dbaa | A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field. |
CVE-2025-27240
|
| VCID-nye8-x53u-zkhw | A non-admin user can change or remove important features within the Zabbix Agent application, thus impacting the integrity and availability of the application. |
CVE-2024-22121
|
| VCID-nyhx-57xy-wugc | Currently, geomap configuration (Administration -> General -> Geographical maps) allows using HTML in the field “Attribution text” when selected “Other” Tile provider. |
CVE-2023-29452
|
| VCID-pyz2-fufh-c7gc | In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default). |
CVE-2022-23131
|
| VCID-ry8x-mjbp-qqct | A bug in the code allows an attacker to sign a forged zbx_session cookie, which then allows them to sign in with admin permissions. |
CVE-2024-36466
|
| VCID-s7ze-4huv-qqep | The reported vulnerability is a stack buffer overflow in the zbx_snmp_cache_handle_engineid function within the Zabbix server/proxy code. This issue occurs when copying data from session->securityEngineID to local_record.engineid without proper bounds checking. |
CVE-2024-36468
|
| VCID-s8ez-bd4f-vkch | In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation by injecting a DLL. |
CVE-2025-27237
|
| VCID-sudd-unuw-wqa9 | Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. This can be used to leak the NTLMv2 hash from a Windows system. |
CVE-2025-27233
|
| VCID-tekr-xkck-pkfu | Multiple vulnerabilities in Asterisk might allow remote attackers to cause a Denial of Service condition, or conduct other attacks. |
CVE-2008-7220
|
| VCID-tvzm-h9yk-dqhh | Library loading on AIX Zabbix Agent builds can be hijacked by local users with write access to the /home/cecuser directory. |
CVE-2025-49642
|
| VCID-uv2e-h2ju-2fgj | zabbix: Zabbix: Authenticated Super Admin can read arbitrary files via oauth.authorize action |
CVE-2025-27232
|
| VCID-vkfp-asar-7bhw | The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user. |
CVE-2023-32725
|