Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1422

NIXPKGS-2026-1422
published 1 month, 2 weeks ago
Permalink CVE-2026-23928
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    52 packages
    • zabbixctl
    • zabbix-cli
    • zabbix.agent
    • zabbix.agent2
    • zabbix.server
    • zabbix60.agent
    • zabbix70.agent
    • zabbix72.agent
    • zabbix74.agent
    • zabbix60.agent2
    • zabbix60.server
    • zabbix70.agent2
    • zabbix70.server
    • zabbix72.agent2
    • zabbix72.server
    • zabbix74.agent2
    • zabbix74.server
    • zabbix.proxy-mysql
    • zabbix.proxy-pgsql
    • zabbix.proxy-sqlite
    • zabbix.server-mysql
    • zabbix.server-pgsql
    • zabbix60.proxy-mysql
    • zabbix60.proxy-pgsql
    • zabbix70.proxy-mysql
    • zabbix70.proxy-pgsql
    • zabbix72.proxy-mysql
    • zabbix72.proxy-pgsql
    • zabbix74.proxy-mysql
    • zabbix74.proxy-pgsql
    • zabbix60.proxy-sqlite
    • zabbix60.server-mysql
    • zabbix60.server-pgsql
    • zabbix70.proxy-sqlite
    • zabbix70.server-mysql
    • zabbix70.server-pgsql
    • zabbix72.proxy-sqlite
    • zabbix72.server-mysql
    • zabbix72.server-pgsql
    • zabbix74.proxy-sqlite
    • zabbix74.server-mysql
    • zabbix74.server-pgsql
    • python312Packages.pyzabbix
    • python313Packages.pyzabbix
    • python314Packages.pyzabbix
    • python312Packages.py-zabbix
    • python313Packages.py-zabbix
    • python314Packages.py-zabbix
    • python312Packages.zabbix-utils
    • python313Packages.zabbix-utils
    • python314Packages.zabbix-utils
    • zabbix-agent2-plugin-postgresql
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago
Stored XSS vulnerability in the Item history/Plain text widget

The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would have to come from a monitored host controlled by the attacker. Note: the Item history widget is a replacement for the Plain text widget since Zabbix 7.0.

Affected products

Zabbix
  • =<7.0.23
  • =<6.0.44
  • =<7.4.7

Matching in nixpkgs

pkgs.zabbix.web

Enterprise-class open source distributed monitoring solution (web frontend)

pkgs.zabbix60.web

Enterprise-class open source distributed monitoring solution (web frontend)

pkgs.zabbix70.web

Enterprise-class open source distributed monitoring solution (web frontend)

pkgs.zabbix74.web

Enterprise-class open source distributed monitoring solution (web frontend)

Ignored packages (52)

pkgs.zabbix.agent

Enterprise-class open source distributed monitoring solution (client-side agent)

pkgs.zabbix.server

Enterprise-class open source distributed monitoring solution

pkgs.zabbix60.agent

Enterprise-class open source distributed monitoring solution (client-side agent)

pkgs.zabbix70.agent

Enterprise-class open source distributed monitoring solution (client-side agent)

pkgs.zabbix74.agent

Enterprise-class open source distributed monitoring solution (client-side agent)

pkgs.zabbix74.server

Enterprise-class open source distributed monitoring solution

pkgs.zabbix.proxy-mysql

Enterprise-class open source distributed monitoring solution (client-server proxy)

pkgs.zabbix.proxy-pgsql

Enterprise-class open source distributed monitoring solution (client-server proxy)

pkgs.zabbix74.proxy-mysql

Enterprise-class open source distributed monitoring solution (client-server proxy)

pkgs.zabbix74.proxy-pgsql

Enterprise-class open source distributed monitoring solution (client-server proxy)

pkgs.zabbix74.proxy-sqlite

Enterprise-class open source distributed monitoring solution (client-server proxy)

Package maintainers