Filtered by vendor Zabbix
Subscriptions
Total
117 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-42330 | 1 Zabbix | 2 Frontend, Zabbix | 2025-10-08 | 9.1 Critical |
| The HttpRequest object allows to get the HTTP headers from the server's response after sending the request. The problem is that the returned strings are created directly from the data returned by the server and are not correctly encoded for JavaScript. This allows to create internal strings that can be used to access hidden properties of objects. | ||||
| CVE-2025-49641 | 1 Zabbix | 1 Zabbix | 2025-10-08 | 4.3 Medium |
| A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems. | ||||
| CVE-2025-27236 | 1 Zabbix | 1 Zabbix | 2025-10-08 | 6.5 Medium |
| A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to. | ||||
| CVE-2025-27231 | 1 Zabbix | 1 Zabbix | 2025-10-08 | 4.9 Medium |
| The LDAP 'Bind password' value cannot be read after saving, but a Super Admin account can leak it by changing LDAP 'Host' to a rogue LDAP server. To mitigate this, the 'Bind password' value is now reset on 'Host' change. | ||||
| CVE-2025-27240 | 1 Zabbix | 1 Zabbix | 2025-10-08 | 7.2 High |
| A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field. | ||||
| CVE-2025-27238 | 1 Zabbix | 1 Zabbix | 2025-10-08 | 3.5 Low |
| Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user groups assigned to them. | ||||
| CVE-2024-45700 | 1 Zabbix | 1 Zabbix | 2025-10-08 | 6.5 Medium |
| Zabbix server is vulnerable to a DoS vulnerability due to uncontrolled resource exhaustion. An attacker can send specially crafted requests to the server, which will cause the server to allocate an excessive amount of memory and perform CPU-intensive decompression operations, ultimately leading to a service crash. | ||||
| CVE-2025-27237 | 2 Microsoft, Zabbix | 5 Windows, Zabbix, Zabbix-agent and 2 more | 2025-10-06 | N/A |
| In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation by injecting a DLL. | ||||
| CVE-2025-10630 | 2 Grafana, Zabbix | 2 Grafana, Zabbix | 2025-09-24 | 4.3 Medium |
| Grafana is an open-source platform for monitoring and observability. Grafana-Zabbix is a plugin for Grafana allowing to visualize monitoring data from Zabbix and create dashboards for analyzing metrics and realtime monitoring. Versions 5.2.1 and below contained a ReDoS vulnerability via user-supplied regex query which could causes CPU usage to max out. This vulnerability is fixed in version 6.0.0. | ||||
| CVE-2025-27234 | 1 Zabbix | 4 Zabbix, Zabbix-agent, Zabbix-agent2 and 1 more | 2025-09-15 | N/A |
| Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. In Zabbix 5.0 this allows for remote code execution. | ||||
| CVE-2025-27233 | 2 Microsoft, Zabbix | 4 Windows, Zabbix, Zabbix-agent and 1 more | 2025-09-15 | N/A |
| Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. This can be used to leak the NTLMv2 hash from a Windows system. | ||||
| CVE-2024-22119 | 1 Zabbix | 1 Zabbix | 2025-06-09 | 5.5 Medium |
| The cause of vulnerability is improper validation of form input field “Name” on Graph page in Items section. | ||||
| CVE-2023-32727 | 1 Zabbix | 1 Zabbix Server | 2025-05-07 | 6.8 Medium |
| An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server. | ||||
| CVE-2022-43515 | 1 Zabbix | 1 Frontend | 2025-04-22 | 5.3 Medium |
| Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range. | ||||
| CVE-2017-2824 | 1 Zabbix | 1 Zabbix | 2025-04-20 | N/A |
| An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability. | ||||
| CVE-2016-4338 | 1 Zabbix | 1 Zabbix | 2025-04-20 | N/A |
| The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter. | ||||
| CVE-2016-10134 | 1 Zabbix | 1 Zabbix | 2025-04-20 | N/A |
| SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php. | ||||
| CVE-2022-43516 | 2 Microsoft, Zabbix | 2 Windows Firewall, Zabbix | 2025-04-18 | 6.5 Medium |
| A Firewall Rule which allows all incoming TCP connections to all programs from any source and to all ports is created in Windows Firewall after Zabbix agent installation (MSI) | ||||
| CVE-2022-46768 | 1 Zabbix | 2 Web Service Report Generation, Zabbix-agent2 | 2025-04-16 | 5.9 Medium |
| Arbitrary file read vulnerability exists in Zabbix Web Service Report Generation, which listens on the port 10053. The service does not have proper validation for URL parameters before reading the files. | ||||
| CVE-2014-1682 | 2 Fedoraproject, Zabbix | 2 Fedora, Zabbix | 2025-04-12 | N/A |
| The API in Zabbix before 1.8.20rc1, 2.0.x before 2.0.11rc1, and 2.2.x before 2.2.2rc1 allows remote authenticated users to spoof arbitrary users via the user name in a user.login request. | ||||