Vulnerability Report

CVE-2026-23921

Title: Blind SQL Injection in CApiService.php

SQLi

Proof Of Concept

PoC Available for CVE-2026-23921

CWE Category CWE-89

Published Date Mar 24, 2026

Modified Date Mar 25, 2026

Exploit Status Available

Score 8.7 CVSS v4.0

Exploit Probability (EPSS)

0.24%

Vulnerability Summary

CVE-2026-23921: A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.

Impacted Vendors

Analysis in Progress...

Reference Links

https://support.zabbix.com/browse/ZBX-27640

CVSS v4.0

Source Entity [email protected]

Severity HIGH

8.7

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

N/A

RAW VECTOR

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2026-23921 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/RichJJ98/analise-vulnerabilidades-zabbix-notebooklm

View Code

March 25, 2026 MODIFIED

Vulnerability data updated via NVD.

March 25, 2026 MODIFIED

Vulnerability data updated via NVD.

March 24, 2026 MODIFIED

Vulnerability data updated via NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Affected Stack

No specific products linked.