Zabbix
Zabbix
Open-source monitoring platform for infrastructure, applications, and networks.
7.4.9
- Release date
- April 08, 2026
- CVE status
- 2 visible CVEs
Source
Public release notes are linked for the latest stored release.
Release history
See the latest published releases stored for this product.
| Version | Published | Notes |
|---|---|---|
| 7.4.9 | 2026-04-08 | Release Notes |
| 7.4.8 | 2026-03-13 | Release Notes |
Vulnerability tracking
Review curated CVEs for this product and see whether the current version is marked affected. Only CVEs with a CVSS score of 7.0 or higher and published in the last 90 days are shown.
| CVE | Severity | Published | Status | Summary |
|---|---|---|---|---|
| CVE-2026-23921 | HIGH (8.7) | 2026-03-24 | Current versionnot affected | A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise. Affected versions
Show 1 more
|
| CVE-2026-23919 | HIGH (7.1) | 2026-03-24 | Current versionnot affected | For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information <a href='https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe'>in Zabbix documentation</a>. Affected versions
Show 2 more
|