{"url":"http://public2.vulnerablecode.io/api/packages/195441?format=json","purl":"pkg:deb/debian/zabbix@1:6.0.14%2Bdfsg-1","type":"deb","namespace":"debian","name":"zabbix","version":"1:6.0.14+dfsg-1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1:7.0.9+dfsg-1~bpo12+1","latest_non_vulnerable_version":"1:7.0.9+dfsg-1~bpo12+1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107139?format=json","vulnerability_id":"VCID-18kh-njx3-p7aw","summary":"The LDAP 'Bind password' value cannot be read after saving, but a Super Admin account can leak it by changing LDAP 'Host' to a rogue LDAP server. To mitigate this, the 'Bind password' value is now reset on 'Host' change.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27231","reference_id":"","reference_type":"","scores":[{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.12189","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27231"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27231","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27231"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117448","reference_id":"1117448","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117448"},{"reference_url":"https://support.zabbix.com/browse/ZBX-27062","reference_id":"ZBX-27062","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-03T13:55:44Z/"}],"url":"https://support.zabbix.com/browse/ZBX-27062"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2025-27231"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-18kh-njx3-p7aw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107138?format=json","vulnerability_id":"VCID-21tq-54r3-cqec","summary":"Zabbix server is vulnerable to a DoS vulnerability due to uncontrolled resource exhaustion. An attacker can send specially crafted requests to the server, which will cause the server to allocate an excessive amount of memory and perform CPU-intensive decompression operations, ultimately leading to a service crash.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45700","reference_id":"","reference_type":"","scores":[{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35378","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45700"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45700","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45700"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://support.zabbix.com/browse/ZBX-26253","reference_id":"ZBX-26253","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-02T16:27:38Z/"}],"url":"https://support.zabbix.com/browse/ZBX-26253"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-45700"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-21tq-54r3-cqec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107101?format=json","vulnerability_id":"VCID-2jas-5kc1-puat","summary":"The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow when parsing JSON files via zbx_json_open.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32722","reference_id":"","reference_type":"","scores":[{"value":"0.00357","scoring_system":"epss","scoring_elements":"0.58319","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32722"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32722","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32722"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053877","reference_id":"1053877","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053877"},{"reference_url":"https://support.zabbix.com/browse/ZBX-23390","reference_id":"ZBX-23390","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-18T15:26:49Z/"}],"url":"https://support.zabbix.com/browse/ZBX-23390"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-32722"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2jas-5kc1-puat"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107135?format=json","vulnerability_id":"VCID-35gu-ctk8-2yd2","summary":"The researcher is showing that it is possible to leak a small amount of Zabbix Server memory using an out of bounds read in src/libs/zbxmedia/email.c","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42333","reference_id":"","reference_type":"","scores":[{"value":"0.00131","scoring_system":"epss","scoring_elements":"0.32278","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42333"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42333","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42333"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689","reference_id":"1088689","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25629","reference_id":"ZBX-25629","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-27T14:54:27Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25629"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-42333"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-35gu-ctk8-2yd2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107097?format=json","vulnerability_id":"VCID-3azv-fsyx-n3fz","summary":"Duktape is an 3rd-party embeddable JavaScript engine, with a focus on portability and compact footprint. When adding too many values in valstack JavaScript will crash. This issue occurs due to bug in Duktape 2.6 which is an 3rd-party solution that we use.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29458","reference_id":"","reference_type":"","scores":[{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33415","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29458"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29458","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29458"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175","reference_id":"1055175","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175"},{"reference_url":"https://support.zabbix.com/browse/ZBX-22989","reference_id":"ZBX-22989","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-22T16:19:37Z/"}],"url":"https://support.zabbix.com/browse/ZBX-22989"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-29458"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3azv-fsyx-n3fz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107117?format=json","vulnerability_id":"VCID-3stx-z7ze-wbe8","summary":"The front-end audit log allows viewing of unprotected plaintext passwords, where the passwords are displayed in plain text.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36460","reference_id":"","reference_type":"","scores":[{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63821","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36460"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36460","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36460"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078553","reference_id":"1078553","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078553"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25017","reference_id":"ZBX-25017","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-09T15:04:09Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25017"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-36460"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3stx-z7ze-wbe8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107152?format=json","vulnerability_id":"VCID-53f2-uzt4-pqgs","summary":"A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23921","reference_id":"","reference_type":"","scores":[{"value":"0.00045","scoring_system":"epss","scoring_elements":"0.14195","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23921"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23921","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23921"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://support.zabbix.com/browse/ZBX-27640","reference_id":"ZBX-27640","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T19:24:25Z/"}],"url":"https://support.zabbix.com/browse/ZBX-27640"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2026-23921"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-53f2-uzt4-pqgs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107113?format=json","vulnerability_id":"VCID-547k-dyst-k3gx","summary":"Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to \"Audit Log\". Due to \"clientip\" field is not sanitized, it is possible to injection SQL into \"clientip\" and exploit time based blind SQL injection.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22120","reference_id":"","reference_type":"","scores":[{"value":"0.91949","scoring_system":"epss","scoring_elements":"0.99713","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22120"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072120","reference_id":"1072120","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072120"},{"reference_url":"https://support.zabbix.com/browse/ZBX-24505","reference_id":"ZBX-24505","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-20T13:29:40Z/"}],"url":"https://support.zabbix.com/browse/ZBX-24505"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-22120"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-547k-dyst-k3gx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107098?format=json","vulnerability_id":"VCID-5t3t-6uqs-akbk","summary":"A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32721","reference_id":"","reference_type":"","scores":[{"value":"0.00715","scoring_system":"epss","scoring_elements":"0.72767","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32721"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32721","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32721"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053877","reference_id":"1053877","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053877"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-32721"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5t3t-6uqs-akbk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107132?format=json","vulnerability_id":"VCID-75fb-vhhc-fbe8","summary":"The HttpRequest object allows to get the HTTP headers from the server's response after sending the request. The problem is that the returned strings are created directly from the data returned by the server and are not correctly encoded for JavaScript. This allows to create internal strings that can be used to access hidden properties of objects.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42330","reference_id":"","reference_type":"","scores":[{"value":"0.0023","scoring_system":"epss","scoring_elements":"0.45951","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42330"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42330","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42330"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689","reference_id":"1088689","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25626","reference_id":"ZBX-25626","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-27T15:12:32Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25626"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-42330"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-75fb-vhhc-fbe8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107090?format=json","vulnerability_id":"VCID-7ajm-my3d-7fgy","summary":"Specially crafted string can cause a buffer overrun in the JSON parser library leading to a crash of the Zabbix Server or a Zabbix Proxy.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29451","reference_id":"","reference_type":"","scores":[{"value":"0.00134","scoring_system":"epss","scoring_elements":"0.32997","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29451"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175","reference_id":"1055175","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html","reference_id":"msg00027.html","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-22T16:25:43Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html"},{"reference_url":"https://support.zabbix.com/browse/ZBX-22587","reference_id":"ZBX-22587","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-22T16:25:43Z/"}],"url":"https://support.zabbix.com/browse/ZBX-22587"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-29451"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7ajm-my3d-7fgy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107103?format=json","vulnerability_id":"VCID-8eb9-mxpg-5kf2","summary":"Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32724","reference_id":"","reference_type":"","scores":[{"value":"0.0072","scoring_system":"epss","scoring_elements":"0.72887","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32724"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32724","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32724"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053877","reference_id":"1053877","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053877"},{"reference_url":"https://support.zabbix.com/browse/ZBX-23391","reference_id":"ZBX-23391","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-17T13:43:17Z/"}],"url":"https://support.zabbix.com/browse/ZBX-23391"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-32724"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8eb9-mxpg-5kf2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107092?format=json","vulnerability_id":"VCID-8zqh-3xt2-nbdq","summary":"Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g., \"var a = {{.}}\"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template. Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29453","reference_id":"","reference_type":"","scores":[{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68657","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29453"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29453","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29453"},{"reference_url":"https://support.zabbix.com/browse/ZBX-23388","reference_id":"ZBX-23388","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-09-18T15:17:42Z/"}],"url":"https://support.zabbix.com/browse/ZBX-23388"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-29453"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8zqh-3xt2-nbdq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107112?format=json","vulnerability_id":"VCID-ambh-afzs-2kg9","summary":"The cause of vulnerability is improper validation of form input field “Name” on Graph page in Items section.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22119","reference_id":"","reference_type":"","scores":[{"value":"0.00423","scoring_system":"epss","scoring_elements":"0.62467","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22119"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22119","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22119"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/04/msg00020.html","reference_id":"msg00020.html","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T14:54:06Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2024/04/msg00020.html"},{"reference_url":"https://support.zabbix.com/browse/ZBX-24070","reference_id":"ZBX-24070","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T14:54:06Z/"}],"url":"https://support.zabbix.com/browse/ZBX-24070"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-22119"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ambh-afzs-2kg9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107116?format=json","vulnerability_id":"VCID-beqm-vczf-dqgj","summary":"Setting SMS media allows to set GSM modem file. Later this file is used as Linux device. But due everything is a file for Linux, it is possible to set another file, e.g. log file and zabbix_server will try to communicate with it as modem. As a result, log file will be broken with AT commands and small part for log file content will be leaked to UI.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22123","reference_id":"","reference_type":"","scores":[{"value":"0.00402","scoring_system":"epss","scoring_elements":"0.61169","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22123"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22123","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22123"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078553","reference_id":"1078553","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078553"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25013","reference_id":"ZBX-25013","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:40:56Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25013"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-22123"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-beqm-vczf-dqgj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65740?format=json","vulnerability_id":"VCID-bff2-nhum-ckhj","summary":"zabbix: Zabbix: Confidentiality loss via improper access control in configuration.import API","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23925.json","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23925.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23925","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03617","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23925"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23925","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23925"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445155","reference_id":"2445155","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445155"},{"reference_url":"https://support.zabbix.com/browse/ZBX-27567","reference_id":"ZBX-27567","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:H/SI:N/SA:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:54:37Z/"}],"url":"https://support.zabbix.com/browse/ZBX-27567"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2026-23925"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bff2-nhum-ckhj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107107?format=json","vulnerability_id":"VCID-buz8-zycr-tbh2","summary":"An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32727","reference_id":"","reference_type":"","scores":[{"value":"0.00464","scoring_system":"epss","scoring_elements":"0.64715","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32727"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32727","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32727"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://support.zabbix.com/browse/ZBX-23857","reference_id":"ZBX-23857","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-07T20:37:31Z/"}],"url":"https://support.zabbix.com/browse/ZBX-23857"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-32727"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-buz8-zycr-tbh2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107150?format=json","vulnerability_id":"VCID-dr1v-72p6-2yhn","summary":"For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information <a href='https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe'>in Zabbix documentation</a>.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23919","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09005","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23919"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23919","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23919"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://support.zabbix.com/browse/ZBX-27638","reference_id":"ZBX-27638","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:36:08Z/"}],"url":"https://support.zabbix.com/browse/ZBX-27638"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2026-23919"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dr1v-72p6-2yhn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107094?format=json","vulnerability_id":"VCID-fefk-6mjh-67fm","summary":"Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29455","reference_id":"","reference_type":"","scores":[{"value":"0.01231","scoring_system":"epss","scoring_elements":"0.79538","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29455"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29455","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29455"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175","reference_id":"1055175","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html","reference_id":"msg00027.html","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-21T21:06:45Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html"},{"reference_url":"https://support.zabbix.com/browse/ZBX-22986","reference_id":"ZBX-22986","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-21T21:06:45Z/"}],"url":"https://support.zabbix.com/browse/ZBX-22986"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-29455"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fefk-6mjh-67fm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107151?format=json","vulnerability_id":"VCID-frdw-trch-uufq","summary":"Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23920","reference_id":"","reference_type":"","scores":[{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21608","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23920"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23920","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23920"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://support.zabbix.com/browse/ZBX-27639","reference_id":"ZBX-27639","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T19:24:03Z/"}],"url":"https://support.zabbix.com/browse/ZBX-27639"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2026-23920"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-frdw-trch-uufq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107146?format=json","vulnerability_id":"VCID-gapt-kwkw-kkek","summary":"A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49641","reference_id":"","reference_type":"","scores":[{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14493","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49641"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49641","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49641"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117448","reference_id":"1117448","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117448"},{"reference_url":"https://support.zabbix.com/browse/ZBX-27063","reference_id":"ZBX-27063","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-03T13:51:55Z/"}],"url":"https://support.zabbix.com/browse/ZBX-27063"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2025-49641"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gapt-kwkw-kkek"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107149?format=json","vulnerability_id":"VCID-gj5s-dde8-1ubx","summary":"An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of service.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49643","reference_id":"","reference_type":"","scores":[{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27583","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49643"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49643","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49643"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121841","reference_id":"1121841","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121841"},{"reference_url":"https://support.zabbix.com/browse/ZBX-27284","reference_id":"ZBX-27284","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-01T14:33:57Z/"}],"url":"https://support.zabbix.com/browse/ZBX-27284"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2025-49643"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gj5s-dde8-1ubx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107096?format=json","vulnerability_id":"VCID-h5fw-ktc6-rqd3","summary":"Reflected XSS attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script can be activated through Action form fields, which can be sent as request to a website with a vulnerability that enables execution of malicious scripts.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29457","reference_id":"","reference_type":"","scores":[{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.66151","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29457"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29457","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29457"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175","reference_id":"1055175","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html","reference_id":"msg00027.html","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-21T21:06:43Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html"},{"reference_url":"https://support.zabbix.com/browse/ZBX-22988","reference_id":"ZBX-22988","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-21T21:06:43Z/"}],"url":"https://support.zabbix.com/browse/ZBX-22988"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-29457"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h5fw-ktc6-rqd3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107133?format=json","vulnerability_id":"VCID-hhsz-ba47-zka4","summary":"In the src/libs/zbxembed/browser.c file, the es_browser_ctor method retrieves a heap pointer from the Duktape JavaScript engine. This heap pointer is subsequently utilized by the browser_push_error method in the src/libs/zbxembed/browser_error.c file. A use-after-free bug can occur at this stage if the wd->browser heap pointer is freed by garbage collection.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42331","reference_id":"","reference_type":"","scores":[{"value":"0.00045","scoring_system":"epss","scoring_elements":"0.14193","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42331"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42331","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42331"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689","reference_id":"1088689","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25627","reference_id":"ZBX-25627","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-27T14:55:25Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25627"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-42331"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hhsz-ba47-zka4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107106?format=json","vulnerability_id":"VCID-jate-jey2-n3g1","summary":"The vulnerability is caused by improper check for check if RDLENGTH does not overflow the buffer in response from DNS server.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32726","reference_id":"","reference_type":"","scores":[{"value":"0.00134","scoring_system":"epss","scoring_elements":"0.32566","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32726"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32726","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32726"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-32726"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jate-jey2-n3g1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107120?format=json","vulnerability_id":"VCID-jkcz-zpks-ubgz","summary":"The implementation of atob in \"Zabbix JS\" allows to create a string with arbitrary content and use it to access internal properties of objects.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36463","reference_id":"","reference_type":"","scores":[{"value":"0.00378","scoring_system":"epss","scoring_elements":"0.59676","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36463"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36463","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36463"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25611","reference_id":"ZBX-25611","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-26T16:21:34Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25611"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-36463"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jkcz-zpks-ubgz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107124?format=json","vulnerability_id":"VCID-jked-29nn-tqe3","summary":"An authenticated user with API access (e.g.: user with default User role), more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group (e.g.: Zabbix Administrators), except to groups that are disabled or having restricted GUI access.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36467","reference_id":"","reference_type":"","scores":[{"value":"0.00608","scoring_system":"epss","scoring_elements":"0.70143","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36467"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36467","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36467"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689","reference_id":"1088689","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25614","reference_id":"ZBX-25614","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-12-04T04:55:25Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25614"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-36467"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jked-29nn-tqe3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107136?format=json","vulnerability_id":"VCID-jx4z-thz3-rbdw","summary":"The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross-Site Scripting vulnerability via the backurl parameter. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim's browser.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45699","reference_id":"","reference_type":"","scores":[{"value":"0.00142","scoring_system":"epss","scoring_elements":"0.34152","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45699"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45699","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45699"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://support.zabbix.com/browse/ZBX-26254","reference_id":"ZBX-26254","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-02T16:28:20Z/"}],"url":"https://support.zabbix.com/browse/ZBX-26254"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-45699"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jx4z-thz3-rbdw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107091?format=json","vulnerability_id":"VCID-jy3a-zvh4-b3ag","summary":"Currently, geomap configuration (Administration -> General -> Geographical maps) allows using HTML in the field “Attribution text” when selected “Other” Tile provider.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29452","reference_id":"","reference_type":"","scores":[{"value":"0.01991","scoring_system":"epss","scoring_elements":"0.83966","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29452"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175","reference_id":"1055175","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175"},{"reference_url":"https://support.zabbix.com/browse/ZBX-22981","reference_id":"ZBX-22981","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-22T16:21:55Z/"}],"url":"https://support.zabbix.com/browse/ZBX-22981"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-29452"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jy3a-zvh4-b3ag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107108?format=json","vulnerability_id":"VCID-kfz9-wq8k-nkb3","summary":"The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32728","reference_id":"","reference_type":"","scores":[{"value":"0.00536","scoring_system":"epss","scoring_elements":"0.67845","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32728"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://support.zabbix.com/browse/ZBX-23858","reference_id":"ZBX-23858","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-27T20:43:15Z/"}],"url":"https://support.zabbix.com/browse/ZBX-23858"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-32728"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kfz9-wq8k-nkb3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107104?format=json","vulnerability_id":"VCID-m5us-tmqh-wkbm","summary":"The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32725","reference_id":"","reference_type":"","scores":[{"value":"0.01064","scoring_system":"epss","scoring_elements":"0.78041","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32725"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-32725"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m5us-tmqh-wkbm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107095?format=json","vulnerability_id":"VCID-mpy5-d7qa-u7fz","summary":"URL validation scheme receives input from a user and then parses it to identify its various components. The validation scheme can ensure that all URL components comply with internet standards.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29456","reference_id":"","reference_type":"","scores":[{"value":"0.00155","scoring_system":"epss","scoring_elements":"0.35985","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29456"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29456","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29456"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175","reference_id":"1055175","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html","reference_id":"msg00027.html","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-22T16:19:48Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html"},{"reference_url":"https://support.zabbix.com/browse/ZBX-22987","reference_id":"ZBX-22987","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-22T16:19:48Z/"}],"url":"https://support.zabbix.com/browse/ZBX-22987"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-29456"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mpy5-d7qa-u7fz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107121?format=json","vulnerability_id":"VCID-n38c-6usb-tkgq","summary":"When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36464","reference_id":"","reference_type":"","scores":[{"value":"0.00067","scoring_system":"epss","scoring_elements":"0.20955","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36464"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36464","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36464"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1090030","reference_id":"1090030","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1090030"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25630","reference_id":"ZBX-25630","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-27T14:27:15Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25630"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-36464"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n38c-6usb-tkgq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107142?format=json","vulnerability_id":"VCID-nv7m-hsr3-17gk","summary":"A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27236","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13378","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27236"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27236","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27236"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117448","reference_id":"1117448","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117448"},{"reference_url":"https://support.zabbix.com/browse/ZBX-27060","reference_id":"ZBX-27060","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-03T13:52:30Z/"}],"url":"https://support.zabbix.com/browse/ZBX-27060"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2025-27236"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nv7m-hsr3-17gk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107110?format=json","vulnerability_id":"VCID-pgj4-u64z-17bt","summary":"An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22116","reference_id":"","reference_type":"","scores":[{"value":"0.00497","scoring_system":"epss","scoring_elements":"0.66247","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22116"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22116","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22116"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078553","reference_id":"1078553","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078553"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25016","reference_id":"ZBX-25016","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-04T04:55:28Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25016"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-22116"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pgj4-u64z-17bt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107123?format=json","vulnerability_id":"VCID-pr1g-m4k2-1ue1","summary":"A bug in the code allows an attacker to sign a forged zbx_session cookie, which then allows them to sign in with admin permissions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36466","reference_id":"","reference_type":"","scores":[{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.49044","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36466"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25635","reference_id":"ZBX-25635","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-04T04:55:27Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25635"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-36466"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pr1g-m4k2-1ue1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107089?format=json","vulnerability_id":"VCID-sc8u-4w9c-23ev","summary":"JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user \"zabbix\") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29450","reference_id":"","reference_type":"","scores":[{"value":"0.00309","scoring_system":"epss","scoring_elements":"0.54388","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29450"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29450","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29450"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175","reference_id":"1055175","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html","reference_id":"msg00027.html","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-06T14:20:54Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html"},{"reference_url":"https://support.zabbix.com/browse/ZBX-22588","reference_id":"ZBX-22588","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-06T14:20:54Z/"}],"url":"https://support.zabbix.com/browse/ZBX-22588"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-29450"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sc8u-4w9c-23ev"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107109?format=json","vulnerability_id":"VCID-t864-v2g6-jbhk","summary":"User with no permission to any of the Hosts can access and view host count & other statistics through System Information Widget in Global View Dashboard.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22114","reference_id":"","reference_type":"","scores":[{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.38855","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22114"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22114","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22114"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078553","reference_id":"1078553","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078553"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25015","reference_id":"ZBX-25015","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T12:39:48Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25015"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-22114"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t864-v2g6-jbhk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107140?format=json","vulnerability_id":"VCID-tbsd-gk6n-9ygc","summary":"Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. This can be used to leak the NTLMv2 hash from a Windows system.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27233","reference_id":"","reference_type":"","scores":[{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.12084","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27233"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117448","reference_id":"1117448","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117448"},{"reference_url":"https://support.zabbix.com/browse/ZBX-26987","reference_id":"ZBX-26987","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-12T11:57:58Z/"}],"url":"https://support.zabbix.com/browse/ZBX-26987"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2025-27233"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tbsd-gk6n-9ygc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107087?format=json","vulnerability_id":"VCID-u4hp-dwsj-53b9","summary":"JavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to Administrative roles (Admin and Superadmin). Administrative privileges should be typically granted to users who need to perform tasks that require more control over the system. The security risk is limited because not all users have this level of access.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29449","reference_id":"","reference_type":"","scores":[{"value":"0.0086","scoring_system":"epss","scoring_elements":"0.75407","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29449"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29449","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29449"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175","reference_id":"1055175","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175"},{"reference_url":"https://support.zabbix.com/browse/ZBX-22589","reference_id":"ZBX-22589","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-22T16:25:49Z/"}],"url":"https://support.zabbix.com/browse/ZBX-22589"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-29449"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u4hp-dwsj-53b9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107118?format=json","vulnerability_id":"VCID-ubyg-pbmy-ekds","summary":"Within Zabbix, users have the ability to directly modify memory pointers in the JavaScript engine.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36461","reference_id":"","reference_type":"","scores":[{"value":"0.00725","scoring_system":"epss","scoring_elements":"0.72995","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36461"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36461","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36461"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078553","reference_id":"1078553","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078553"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25018","reference_id":"ZBX-25018","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T15:21:52Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25018"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-36461"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ubyg-pbmy-ekds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107127?format=json","vulnerability_id":"VCID-vuzz-by1n-aff9","summary":"Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42325","reference_id":"","reference_type":"","scores":[{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.17113","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42325"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42325","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42325"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://support.zabbix.com/browse/ZBX-26258","reference_id":"ZBX-26258","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-02T14:48:54Z/"}],"url":"https://support.zabbix.com/browse/ZBX-26258"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-42325"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vuzz-by1n-aff9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107129?format=json","vulnerability_id":"VCID-w384-t6ne-s3g7","summary":"A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42327","reference_id":"","reference_type":"","scores":[{"value":"0.91398","scoring_system":"epss","scoring_elements":"0.99679","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42327"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689","reference_id":"1088689","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52230.py","reference_id":"CVE-2024-42327","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52230.py"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25623","reference_id":"ZBX-25623","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-27T15:10:31Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25623"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-42327"],"risk_score":null,"exploitability":"2.0","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w384-t6ne-s3g7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107126?format=json","vulnerability_id":"VCID-w4dd-77t2-wuc7","summary":"Execution time for an unsuccessful login differs when using a non-existing username compared to using an existing one.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36469","reference_id":"","reference_type":"","scores":[{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.30688","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36469"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36469","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36469"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://support.zabbix.com/browse/ZBX-26255","reference_id":"ZBX-26255","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-02T15:00:32Z/"}],"url":"https://support.zabbix.com/browse/ZBX-26255"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-36469"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w4dd-77t2-wuc7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107145?format=json","vulnerability_id":"VCID-wurt-zx5x-8kds","summary":"A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27240","reference_id":"","reference_type":"","scores":[{"value":"0.00093","scoring_system":"epss","scoring_elements":"0.26116","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27240"},{"reference_url":"https://support.zabbix.com/browse/ZBX-26986","reference_id":"ZBX-26986","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-09-13T03:55:34Z/"}],"url":"https://support.zabbix.com/browse/ZBX-26986"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2025-27240"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wurt-zx5x-8kds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107115?format=json","vulnerability_id":"VCID-wv5n-ccn5-fqc2","summary":"Zabbix allows to configure SMS notifications. AT command injection occurs on \"Zabbix Server\" because there is no validation of \"Number\" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22122","reference_id":"","reference_type":"","scores":[{"value":"0.00438","scoring_system":"epss","scoring_elements":"0.63478","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22122"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22122","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22122"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078553","reference_id":"1078553","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078553"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25012","reference_id":"ZBX-25012","reference_type":"","scores":[{"value":"3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:46:40Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25012"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-22122"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wv5n-ccn5-fqc2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107134?format=json","vulnerability_id":"VCID-xaqm-x1w4-s3hn","summary":"The researcher is showing that due to the way the SNMP trap log is parsed, an attacker can craft an SNMP trap with additional lines of information and have forged data show in the Zabbix UI. This attack requires SNMP auth to be off and/or the attacker to know the community/auth details. The attack requires an SNMP item to be configured as text on the target host.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42332","reference_id":"","reference_type":"","scores":[{"value":"0.00841","scoring_system":"epss","scoring_elements":"0.75111","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42332"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42332","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42332"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689","reference_id":"1088689","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25628","reference_id":"ZBX-25628","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-27T14:54:59Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25628"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-42332"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xaqm-x1w4-s3hn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107093?format=json","vulnerability_id":"VCID-xwr8-85au-ukd7","summary":"Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the payload to the web application, then the application saves the payload (e.g., in a database or server-side text files), and finally, the application unintentionally executes the payload for every victim visiting its web pages.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29454","reference_id":"","reference_type":"","scores":[{"value":"0.00815","scoring_system":"epss","scoring_elements":"0.74676","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29454"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29454","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29454"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175","reference_id":"1055175","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html","reference_id":"msg00027.html","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-21T21:06:47Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html"},{"reference_url":"https://support.zabbix.com/browse/ZBX-22985","reference_id":"ZBX-22985","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-21T21:06:47Z/"}],"url":"https://support.zabbix.com/browse/ZBX-22985"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-29454"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xwr8-85au-ukd7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107111?format=json","vulnerability_id":"VCID-ytep-z8dn-vfh7","summary":"When a URL is added to the map element, it is recorded in the database with sequential IDs. Upon adding a new URL, the system retrieves the last sysmapelementurlid value and increments it by one. However, an issue arises when a user manually changes the sysmapelementurlid value by adding sysmapelementurlid + 1. This action prevents others from adding URLs to the map element.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22117","reference_id":"","reference_type":"","scores":[{"value":"0.00057","scoring_system":"epss","scoring_elements":"0.18104","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22117"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22117","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22117"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25610","reference_id":"ZBX-25610","reference_type":"","scores":[{"value":"2.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-26T15:03:28Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25610"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-22117"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ytep-z8dn-vfh7"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107138?format=json","vulnerability_id":"VCID-21tq-54r3-cqec","summary":"Zabbix server is vulnerable to a DoS vulnerability due to uncontrolled resource exhaustion. An attacker can send specially crafted requests to the server, which will cause the server to allocate an excessive amount of memory and perform CPU-intensive decompression operations, ultimately leading to a service crash.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45700","reference_id":"","reference_type":"","scores":[{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35378","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45700"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45700","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45700"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://support.zabbix.com/browse/ZBX-26253","reference_id":"ZBX-26253","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-02T16:27:38Z/"}],"url":"https://support.zabbix.com/browse/ZBX-26253"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195441?format=json","purl":"pkg:deb/debian/zabbix@1:6.0.14%2Bdfsg-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18kh-njx3-p7aw"},{"vulnerability":"VCID-21tq-54r3-cqec"},{"vulnerability":"VCID-2jas-5kc1-puat"},{"vulnerability":"VCID-35gu-ctk8-2yd2"},{"vulnerability":"VCID-3azv-fsyx-n3fz"},{"vulnerability":"VCID-3stx-z7ze-wbe8"},{"vulnerability":"VCID-53f2-uzt4-pqgs"},{"vulnerability":"VCID-547k-dyst-k3gx"},{"vulnerability":"VCID-5t3t-6uqs-akbk"},{"vulnerability":"VCID-75fb-vhhc-fbe8"},{"vulnerability":"VCID-7ajm-my3d-7fgy"},{"vulnerability":"VCID-8eb9-mxpg-5kf2"},{"vulnerability":"VCID-8zqh-3xt2-nbdq"},{"vulnerability":"VCID-ambh-afzs-2kg9"},{"vulnerability":"VCID-beqm-vczf-dqgj"},{"vulnerability":"VCID-bff2-nhum-ckhj"},{"vulnerability":"VCID-buz8-zycr-tbh2"},{"vulnerability":"VCID-dr1v-72p6-2yhn"},{"vulnerability":"VCID-fefk-6mjh-67fm"},{"vulnerability":"VCID-frdw-trch-uufq"},{"vulnerability":"VCID-gapt-kwkw-kkek"},{"vulnerability":"VCID-gj5s-dde8-1ubx"},{"vulnerability":"VCID-h5fw-ktc6-rqd3"},{"vulnerability":"VCID-hhsz-ba47-zka4"},{"vulnerability":"VCID-jate-jey2-n3g1"},{"vulnerability":"VCID-jkcz-zpks-ubgz"},{"vulnerability":"VCID-jked-29nn-tqe3"},{"vulnerability":"VCID-jx4z-thz3-rbdw"},{"vulnerability":"VCID-jy3a-zvh4-b3ag"},{"vulnerability":"VCID-kfz9-wq8k-nkb3"},{"vulnerability":"VCID-m5us-tmqh-wkbm"},{"vulnerability":"VCID-mpy5-d7qa-u7fz"},{"vulnerability":"VCID-n38c-6usb-tkgq"},{"vulnerability":"VCID-nv7m-hsr3-17gk"},{"vulnerability":"VCID-pgj4-u64z-17bt"},{"vulnerability":"VCID-pr1g-m4k2-1ue1"},{"vulnerability":"VCID-sc8u-4w9c-23ev"},{"vulnerability":"VCID-t864-v2g6-jbhk"},{"vulnerability":"VCID-tbsd-gk6n-9ygc"},{"vulnerability":"VCID-u4hp-dwsj-53b9"},{"vulnerability":"VCID-ubyg-pbmy-ekds"},{"vulnerability":"VCID-vuzz-by1n-aff9"},{"vulnerability":"VCID-w384-t6ne-s3g7"},{"vulnerability":"VCID-w4dd-77t2-wuc7"},{"vulnerability":"VCID-wurt-zx5x-8kds"},{"vulnerability":"VCID-wv5n-ccn5-fqc2"},{"vulnerability":"VCID-xaqm-x1w4-s3hn"},{"vulnerability":"VCID-xwr8-85au-ukd7"},{"vulnerability":"VCID-ytep-z8dn-vfh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:6.0.14%252Bdfsg-1"},{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-45700"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-21tq-54r3-cqec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107076?format=json","vulnerability_id":"VCID-4c5a-bddp-pka5","summary":"An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24917","reference_id":"","reference_type":"","scores":[{"value":"0.00882","scoring_system":"epss","scoring_elements":"0.75753","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00882","scoring_system":"epss","scoring_elements":"0.7578","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24917"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24917","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24917"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195441?format=json","purl":"pkg:deb/debian/zabbix@1:6.0.14%2Bdfsg-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18kh-njx3-p7aw"},{"vulnerability":"VCID-21tq-54r3-cqec"},{"vulnerability":"VCID-2jas-5kc1-puat"},{"vulnerability":"VCID-35gu-ctk8-2yd2"},{"vulnerability":"VCID-3azv-fsyx-n3fz"},{"vulnerability":"VCID-3stx-z7ze-wbe8"},{"vulnerability":"VCID-53f2-uzt4-pqgs"},{"vulnerability":"VCID-547k-dyst-k3gx"},{"vulnerability":"VCID-5t3t-6uqs-akbk"},{"vulnerability":"VCID-75fb-vhhc-fbe8"},{"vulnerability":"VCID-7ajm-my3d-7fgy"},{"vulnerability":"VCID-8eb9-mxpg-5kf2"},{"vulnerability":"VCID-8zqh-3xt2-nbdq"},{"vulnerability":"VCID-ambh-afzs-2kg9"},{"vulnerability":"VCID-beqm-vczf-dqgj"},{"vulnerability":"VCID-bff2-nhum-ckhj"},{"vulnerability":"VCID-buz8-zycr-tbh2"},{"vulnerability":"VCID-dr1v-72p6-2yhn"},{"vulnerability":"VCID-fefk-6mjh-67fm"},{"vulnerability":"VCID-frdw-trch-uufq"},{"vulnerability":"VCID-gapt-kwkw-kkek"},{"vulnerability":"VCID-gj5s-dde8-1ubx"},{"vulnerability":"VCID-h5fw-ktc6-rqd3"},{"vulnerability":"VCID-hhsz-ba47-zka4"},{"vulnerability":"VCID-jate-jey2-n3g1"},{"vulnerability":"VCID-jkcz-zpks-ubgz"},{"vulnerability":"VCID-jked-29nn-tqe3"},{"vulnerability":"VCID-jx4z-thz3-rbdw"},{"vulnerability":"VCID-jy3a-zvh4-b3ag"},{"vulnerability":"VCID-kfz9-wq8k-nkb3"},{"vulnerability":"VCID-m5us-tmqh-wkbm"},{"vulnerability":"VCID-mpy5-d7qa-u7fz"},{"vulnerability":"VCID-n38c-6usb-tkgq"},{"vulnerability":"VCID-nv7m-hsr3-17gk"},{"vulnerability":"VCID-pgj4-u64z-17bt"},{"vulnerability":"VCID-pr1g-m4k2-1ue1"},{"vulnerability":"VCID-sc8u-4w9c-23ev"},{"vulnerability":"VCID-t864-v2g6-jbhk"},{"vulnerability":"VCID-tbsd-gk6n-9ygc"},{"vulnerability":"VCID-u4hp-dwsj-53b9"},{"vulnerability":"VCID-ubyg-pbmy-ekds"},{"vulnerability":"VCID-vuzz-by1n-aff9"},{"vulnerability":"VCID-w384-t6ne-s3g7"},{"vulnerability":"VCID-w4dd-77t2-wuc7"},{"vulnerability":"VCID-wurt-zx5x-8kds"},{"vulnerability":"VCID-wv5n-ccn5-fqc2"},{"vulnerability":"VCID-xaqm-x1w4-s3hn"},{"vulnerability":"VCID-xwr8-85au-ukd7"},{"vulnerability":"VCID-ytep-z8dn-vfh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:6.0.14%252Bdfsg-1"}],"aliases":["CVE-2022-24917"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4c5a-bddp-pka5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107075?format=json","vulnerability_id":"VCID-bm7b-qurk-2qdk","summary":"An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24349","reference_id":"","reference_type":"","scores":[{"value":"0.00849","scoring_system":"epss","scoring_elements":"0.75232","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00849","scoring_system":"epss","scoring_elements":"0.75261","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24349"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195441?format=json","purl":"pkg:deb/debian/zabbix@1:6.0.14%2Bdfsg-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18kh-njx3-p7aw"},{"vulnerability":"VCID-21tq-54r3-cqec"},{"vulnerability":"VCID-2jas-5kc1-puat"},{"vulnerability":"VCID-35gu-ctk8-2yd2"},{"vulnerability":"VCID-3azv-fsyx-n3fz"},{"vulnerability":"VCID-3stx-z7ze-wbe8"},{"vulnerability":"VCID-53f2-uzt4-pqgs"},{"vulnerability":"VCID-547k-dyst-k3gx"},{"vulnerability":"VCID-5t3t-6uqs-akbk"},{"vulnerability":"VCID-75fb-vhhc-fbe8"},{"vulnerability":"VCID-7ajm-my3d-7fgy"},{"vulnerability":"VCID-8eb9-mxpg-5kf2"},{"vulnerability":"VCID-8zqh-3xt2-nbdq"},{"vulnerability":"VCID-ambh-afzs-2kg9"},{"vulnerability":"VCID-beqm-vczf-dqgj"},{"vulnerability":"VCID-bff2-nhum-ckhj"},{"vulnerability":"VCID-buz8-zycr-tbh2"},{"vulnerability":"VCID-dr1v-72p6-2yhn"},{"vulnerability":"VCID-fefk-6mjh-67fm"},{"vulnerability":"VCID-frdw-trch-uufq"},{"vulnerability":"VCID-gapt-kwkw-kkek"},{"vulnerability":"VCID-gj5s-dde8-1ubx"},{"vulnerability":"VCID-h5fw-ktc6-rqd3"},{"vulnerability":"VCID-hhsz-ba47-zka4"},{"vulnerability":"VCID-jate-jey2-n3g1"},{"vulnerability":"VCID-jkcz-zpks-ubgz"},{"vulnerability":"VCID-jked-29nn-tqe3"},{"vulnerability":"VCID-jx4z-thz3-rbdw"},{"vulnerability":"VCID-jy3a-zvh4-b3ag"},{"vulnerability":"VCID-kfz9-wq8k-nkb3"},{"vulnerability":"VCID-m5us-tmqh-wkbm"},{"vulnerability":"VCID-mpy5-d7qa-u7fz"},{"vulnerability":"VCID-n38c-6usb-tkgq"},{"vulnerability":"VCID-nv7m-hsr3-17gk"},{"vulnerability":"VCID-pgj4-u64z-17bt"},{"vulnerability":"VCID-pr1g-m4k2-1ue1"},{"vulnerability":"VCID-sc8u-4w9c-23ev"},{"vulnerability":"VCID-t864-v2g6-jbhk"},{"vulnerability":"VCID-tbsd-gk6n-9ygc"},{"vulnerability":"VCID-u4hp-dwsj-53b9"},{"vulnerability":"VCID-ubyg-pbmy-ekds"},{"vulnerability":"VCID-vuzz-by1n-aff9"},{"vulnerability":"VCID-w384-t6ne-s3g7"},{"vulnerability":"VCID-w4dd-77t2-wuc7"},{"vulnerability":"VCID-wurt-zx5x-8kds"},{"vulnerability":"VCID-wv5n-ccn5-fqc2"},{"vulnerability":"VCID-xaqm-x1w4-s3hn"},{"vulnerability":"VCID-xwr8-85au-ukd7"},{"vulnerability":"VCID-ytep-z8dn-vfh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:6.0.14%252Bdfsg-1"}],"aliases":["CVE-2022-24349"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bm7b-qurk-2qdk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107124?format=json","vulnerability_id":"VCID-jked-29nn-tqe3","summary":"An authenticated user with API access (e.g.: user with default User role), more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group (e.g.: Zabbix Administrators), except to groups that are disabled or having restricted GUI access.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36467","reference_id":"","reference_type":"","scores":[{"value":"0.00608","scoring_system":"epss","scoring_elements":"0.70143","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36467"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36467","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36467"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689","reference_id":"1088689","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25614","reference_id":"ZBX-25614","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-12-04T04:55:25Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25614"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195441?format=json","purl":"pkg:deb/debian/zabbix@1:6.0.14%2Bdfsg-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18kh-njx3-p7aw"},{"vulnerability":"VCID-21tq-54r3-cqec"},{"vulnerability":"VCID-2jas-5kc1-puat"},{"vulnerability":"VCID-35gu-ctk8-2yd2"},{"vulnerability":"VCID-3azv-fsyx-n3fz"},{"vulnerability":"VCID-3stx-z7ze-wbe8"},{"vulnerability":"VCID-53f2-uzt4-pqgs"},{"vulnerability":"VCID-547k-dyst-k3gx"},{"vulnerability":"VCID-5t3t-6uqs-akbk"},{"vulnerability":"VCID-75fb-vhhc-fbe8"},{"vulnerability":"VCID-7ajm-my3d-7fgy"},{"vulnerability":"VCID-8eb9-mxpg-5kf2"},{"vulnerability":"VCID-8zqh-3xt2-nbdq"},{"vulnerability":"VCID-ambh-afzs-2kg9"},{"vulnerability":"VCID-beqm-vczf-dqgj"},{"vulnerability":"VCID-bff2-nhum-ckhj"},{"vulnerability":"VCID-buz8-zycr-tbh2"},{"vulnerability":"VCID-dr1v-72p6-2yhn"},{"vulnerability":"VCID-fefk-6mjh-67fm"},{"vulnerability":"VCID-frdw-trch-uufq"},{"vulnerability":"VCID-gapt-kwkw-kkek"},{"vulnerability":"VCID-gj5s-dde8-1ubx"},{"vulnerability":"VCID-h5fw-ktc6-rqd3"},{"vulnerability":"VCID-hhsz-ba47-zka4"},{"vulnerability":"VCID-jate-jey2-n3g1"},{"vulnerability":"VCID-jkcz-zpks-ubgz"},{"vulnerability":"VCID-jked-29nn-tqe3"},{"vulnerability":"VCID-jx4z-thz3-rbdw"},{"vulnerability":"VCID-jy3a-zvh4-b3ag"},{"vulnerability":"VCID-kfz9-wq8k-nkb3"},{"vulnerability":"VCID-m5us-tmqh-wkbm"},{"vulnerability":"VCID-mpy5-d7qa-u7fz"},{"vulnerability":"VCID-n38c-6usb-tkgq"},{"vulnerability":"VCID-nv7m-hsr3-17gk"},{"vulnerability":"VCID-pgj4-u64z-17bt"},{"vulnerability":"VCID-pr1g-m4k2-1ue1"},{"vulnerability":"VCID-sc8u-4w9c-23ev"},{"vulnerability":"VCID-t864-v2g6-jbhk"},{"vulnerability":"VCID-tbsd-gk6n-9ygc"},{"vulnerability":"VCID-u4hp-dwsj-53b9"},{"vulnerability":"VCID-ubyg-pbmy-ekds"},{"vulnerability":"VCID-vuzz-by1n-aff9"},{"vulnerability":"VCID-w384-t6ne-s3g7"},{"vulnerability":"VCID-w4dd-77t2-wuc7"},{"vulnerability":"VCID-wurt-zx5x-8kds"},{"vulnerability":"VCID-wv5n-ccn5-fqc2"},{"vulnerability":"VCID-xaqm-x1w4-s3hn"},{"vulnerability":"VCID-xwr8-85au-ukd7"},{"vulnerability":"VCID-ytep-z8dn-vfh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:6.0.14%252Bdfsg-1"},{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-36467"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jked-29nn-tqe3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107089?format=json","vulnerability_id":"VCID-sc8u-4w9c-23ev","summary":"JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user \"zabbix\") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29450","reference_id":"","reference_type":"","scores":[{"value":"0.00309","scoring_system":"epss","scoring_elements":"0.54388","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29450"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29450","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29450"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175","reference_id":"1055175","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html","reference_id":"msg00027.html","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-06T14:20:54Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html"},{"reference_url":"https://support.zabbix.com/browse/ZBX-22588","reference_id":"ZBX-22588","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-06T14:20:54Z/"}],"url":"https://support.zabbix.com/browse/ZBX-22588"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195441?format=json","purl":"pkg:deb/debian/zabbix@1:6.0.14%2Bdfsg-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18kh-njx3-p7aw"},{"vulnerability":"VCID-21tq-54r3-cqec"},{"vulnerability":"VCID-2jas-5kc1-puat"},{"vulnerability":"VCID-35gu-ctk8-2yd2"},{"vulnerability":"VCID-3azv-fsyx-n3fz"},{"vulnerability":"VCID-3stx-z7ze-wbe8"},{"vulnerability":"VCID-53f2-uzt4-pqgs"},{"vulnerability":"VCID-547k-dyst-k3gx"},{"vulnerability":"VCID-5t3t-6uqs-akbk"},{"vulnerability":"VCID-75fb-vhhc-fbe8"},{"vulnerability":"VCID-7ajm-my3d-7fgy"},{"vulnerability":"VCID-8eb9-mxpg-5kf2"},{"vulnerability":"VCID-8zqh-3xt2-nbdq"},{"vulnerability":"VCID-ambh-afzs-2kg9"},{"vulnerability":"VCID-beqm-vczf-dqgj"},{"vulnerability":"VCID-bff2-nhum-ckhj"},{"vulnerability":"VCID-buz8-zycr-tbh2"},{"vulnerability":"VCID-dr1v-72p6-2yhn"},{"vulnerability":"VCID-fefk-6mjh-67fm"},{"vulnerability":"VCID-frdw-trch-uufq"},{"vulnerability":"VCID-gapt-kwkw-kkek"},{"vulnerability":"VCID-gj5s-dde8-1ubx"},{"vulnerability":"VCID-h5fw-ktc6-rqd3"},{"vulnerability":"VCID-hhsz-ba47-zka4"},{"vulnerability":"VCID-jate-jey2-n3g1"},{"vulnerability":"VCID-jkcz-zpks-ubgz"},{"vulnerability":"VCID-jked-29nn-tqe3"},{"vulnerability":"VCID-jx4z-thz3-rbdw"},{"vulnerability":"VCID-jy3a-zvh4-b3ag"},{"vulnerability":"VCID-kfz9-wq8k-nkb3"},{"vulnerability":"VCID-m5us-tmqh-wkbm"},{"vulnerability":"VCID-mpy5-d7qa-u7fz"},{"vulnerability":"VCID-n38c-6usb-tkgq"},{"vulnerability":"VCID-nv7m-hsr3-17gk"},{"vulnerability":"VCID-pgj4-u64z-17bt"},{"vulnerability":"VCID-pr1g-m4k2-1ue1"},{"vulnerability":"VCID-sc8u-4w9c-23ev"},{"vulnerability":"VCID-t864-v2g6-jbhk"},{"vulnerability":"VCID-tbsd-gk6n-9ygc"},{"vulnerability":"VCID-u4hp-dwsj-53b9"},{"vulnerability":"VCID-ubyg-pbmy-ekds"},{"vulnerability":"VCID-vuzz-by1n-aff9"},{"vulnerability":"VCID-w384-t6ne-s3g7"},{"vulnerability":"VCID-w4dd-77t2-wuc7"},{"vulnerability":"VCID-wurt-zx5x-8kds"},{"vulnerability":"VCID-wv5n-ccn5-fqc2"},{"vulnerability":"VCID-xaqm-x1w4-s3hn"},{"vulnerability":"VCID-xwr8-85au-ukd7"},{"vulnerability":"VCID-ytep-z8dn-vfh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:6.0.14%252Bdfsg-1"},{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2023-29450"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sc8u-4w9c-23ev"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107080?format=json","vulnerability_id":"VCID-tt47-6swy-n3cw","summary":"An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-35229","reference_id":"","reference_type":"","scores":[{"value":"0.00808","scoring_system":"epss","scoring_elements":"0.74554","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00808","scoring_system":"epss","scoring_elements":"0.74585","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-35229"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35229","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35229"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014992","reference_id":"1014992","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014992"},{"reference_url":"https://usn.ubuntu.com/6751-1/","reference_id":"USN-6751-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6751-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195441?format=json","purl":"pkg:deb/debian/zabbix@1:6.0.14%2Bdfsg-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18kh-njx3-p7aw"},{"vulnerability":"VCID-21tq-54r3-cqec"},{"vulnerability":"VCID-2jas-5kc1-puat"},{"vulnerability":"VCID-35gu-ctk8-2yd2"},{"vulnerability":"VCID-3azv-fsyx-n3fz"},{"vulnerability":"VCID-3stx-z7ze-wbe8"},{"vulnerability":"VCID-53f2-uzt4-pqgs"},{"vulnerability":"VCID-547k-dyst-k3gx"},{"vulnerability":"VCID-5t3t-6uqs-akbk"},{"vulnerability":"VCID-75fb-vhhc-fbe8"},{"vulnerability":"VCID-7ajm-my3d-7fgy"},{"vulnerability":"VCID-8eb9-mxpg-5kf2"},{"vulnerability":"VCID-8zqh-3xt2-nbdq"},{"vulnerability":"VCID-ambh-afzs-2kg9"},{"vulnerability":"VCID-beqm-vczf-dqgj"},{"vulnerability":"VCID-bff2-nhum-ckhj"},{"vulnerability":"VCID-buz8-zycr-tbh2"},{"vulnerability":"VCID-dr1v-72p6-2yhn"},{"vulnerability":"VCID-fefk-6mjh-67fm"},{"vulnerability":"VCID-frdw-trch-uufq"},{"vulnerability":"VCID-gapt-kwkw-kkek"},{"vulnerability":"VCID-gj5s-dde8-1ubx"},{"vulnerability":"VCID-h5fw-ktc6-rqd3"},{"vulnerability":"VCID-hhsz-ba47-zka4"},{"vulnerability":"VCID-jate-jey2-n3g1"},{"vulnerability":"VCID-jkcz-zpks-ubgz"},{"vulnerability":"VCID-jked-29nn-tqe3"},{"vulnerability":"VCID-jx4z-thz3-rbdw"},{"vulnerability":"VCID-jy3a-zvh4-b3ag"},{"vulnerability":"VCID-kfz9-wq8k-nkb3"},{"vulnerability":"VCID-m5us-tmqh-wkbm"},{"vulnerability":"VCID-mpy5-d7qa-u7fz"},{"vulnerability":"VCID-n38c-6usb-tkgq"},{"vulnerability":"VCID-nv7m-hsr3-17gk"},{"vulnerability":"VCID-pgj4-u64z-17bt"},{"vulnerability":"VCID-pr1g-m4k2-1ue1"},{"vulnerability":"VCID-sc8u-4w9c-23ev"},{"vulnerability":"VCID-t864-v2g6-jbhk"},{"vulnerability":"VCID-tbsd-gk6n-9ygc"},{"vulnerability":"VCID-u4hp-dwsj-53b9"},{"vulnerability":"VCID-ubyg-pbmy-ekds"},{"vulnerability":"VCID-vuzz-by1n-aff9"},{"vulnerability":"VCID-w384-t6ne-s3g7"},{"vulnerability":"VCID-w4dd-77t2-wuc7"},{"vulnerability":"VCID-wurt-zx5x-8kds"},{"vulnerability":"VCID-wv5n-ccn5-fqc2"},{"vulnerability":"VCID-xaqm-x1w4-s3hn"},{"vulnerability":"VCID-xwr8-85au-ukd7"},{"vulnerability":"VCID-ytep-z8dn-vfh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:6.0.14%252Bdfsg-1"}],"aliases":["CVE-2022-35229"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tt47-6swy-n3cw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107115?format=json","vulnerability_id":"VCID-wv5n-ccn5-fqc2","summary":"Zabbix allows to configure SMS notifications. AT command injection occurs on \"Zabbix Server\" because there is no validation of \"Number\" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22122","reference_id":"","reference_type":"","scores":[{"value":"0.00438","scoring_system":"epss","scoring_elements":"0.63478","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22122"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22122","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22122"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078553","reference_id":"1078553","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078553"},{"reference_url":"https://support.zabbix.com/browse/ZBX-25012","reference_id":"ZBX-25012","reference_type":"","scores":[{"value":"3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:46:40Z/"}],"url":"https://support.zabbix.com/browse/ZBX-25012"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195441?format=json","purl":"pkg:deb/debian/zabbix@1:6.0.14%2Bdfsg-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18kh-njx3-p7aw"},{"vulnerability":"VCID-21tq-54r3-cqec"},{"vulnerability":"VCID-2jas-5kc1-puat"},{"vulnerability":"VCID-35gu-ctk8-2yd2"},{"vulnerability":"VCID-3azv-fsyx-n3fz"},{"vulnerability":"VCID-3stx-z7ze-wbe8"},{"vulnerability":"VCID-53f2-uzt4-pqgs"},{"vulnerability":"VCID-547k-dyst-k3gx"},{"vulnerability":"VCID-5t3t-6uqs-akbk"},{"vulnerability":"VCID-75fb-vhhc-fbe8"},{"vulnerability":"VCID-7ajm-my3d-7fgy"},{"vulnerability":"VCID-8eb9-mxpg-5kf2"},{"vulnerability":"VCID-8zqh-3xt2-nbdq"},{"vulnerability":"VCID-ambh-afzs-2kg9"},{"vulnerability":"VCID-beqm-vczf-dqgj"},{"vulnerability":"VCID-bff2-nhum-ckhj"},{"vulnerability":"VCID-buz8-zycr-tbh2"},{"vulnerability":"VCID-dr1v-72p6-2yhn"},{"vulnerability":"VCID-fefk-6mjh-67fm"},{"vulnerability":"VCID-frdw-trch-uufq"},{"vulnerability":"VCID-gapt-kwkw-kkek"},{"vulnerability":"VCID-gj5s-dde8-1ubx"},{"vulnerability":"VCID-h5fw-ktc6-rqd3"},{"vulnerability":"VCID-hhsz-ba47-zka4"},{"vulnerability":"VCID-jate-jey2-n3g1"},{"vulnerability":"VCID-jkcz-zpks-ubgz"},{"vulnerability":"VCID-jked-29nn-tqe3"},{"vulnerability":"VCID-jx4z-thz3-rbdw"},{"vulnerability":"VCID-jy3a-zvh4-b3ag"},{"vulnerability":"VCID-kfz9-wq8k-nkb3"},{"vulnerability":"VCID-m5us-tmqh-wkbm"},{"vulnerability":"VCID-mpy5-d7qa-u7fz"},{"vulnerability":"VCID-n38c-6usb-tkgq"},{"vulnerability":"VCID-nv7m-hsr3-17gk"},{"vulnerability":"VCID-pgj4-u64z-17bt"},{"vulnerability":"VCID-pr1g-m4k2-1ue1"},{"vulnerability":"VCID-sc8u-4w9c-23ev"},{"vulnerability":"VCID-t864-v2g6-jbhk"},{"vulnerability":"VCID-tbsd-gk6n-9ygc"},{"vulnerability":"VCID-u4hp-dwsj-53b9"},{"vulnerability":"VCID-ubyg-pbmy-ekds"},{"vulnerability":"VCID-vuzz-by1n-aff9"},{"vulnerability":"VCID-w384-t6ne-s3g7"},{"vulnerability":"VCID-w4dd-77t2-wuc7"},{"vulnerability":"VCID-wurt-zx5x-8kds"},{"vulnerability":"VCID-wv5n-ccn5-fqc2"},{"vulnerability":"VCID-xaqm-x1w4-s3hn"},{"vulnerability":"VCID-xwr8-85au-ukd7"},{"vulnerability":"VCID-ytep-z8dn-vfh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:6.0.14%252Bdfsg-1"},{"url":"http://public2.vulnerablecode.io/api/packages/195442?format=json","purl":"pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1~bpo12%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:7.0.9%252Bdfsg-1~bpo12%252B1"}],"aliases":["CVE-2024-22122"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wv5n-ccn5-fqc2"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/zabbix@1:6.0.14%252Bdfsg-1"}