Security Advisory

CVE-2026-23921

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-24 18:28:41

Last updated 2026-03-26 03:55:36

Assigner Zabbix

State PUBLISHED

Description

A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.

← Browse all CVEs View on cve.org ↗