CVE & CISA-KEV Catalog

CVE-2026-23919

UNSCORED

Description

For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information in Zabbix documentation .

How to fix

Remediation Available
zabbixDebian
Fixed in:1:7.0.22+dfsg-1~deb13u1CVE-2026-23919
Fixed in:1:7.0.22+dfsg-1CVE-2026-23919

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3.1 Vector

No CVSS vector data available.

Exploit Intelligence

0.15%probability of exploitation in 30 days
5thpercentile

Low risk: more likely to be exploited than 5% of all known CVEs.

References

Other references1
Embed a live status badge for CVE-2026-23919
CVE-2026-23919 severity badge

Markdown

[![CVE-2026-23919](https://tridentstack.com/cve/badge/CVE-2026-23919.svg)](https://tridentstack.com/cve/CVE-2026-23919)

HTML

<a href="https://tridentstack.com/cve/CVE-2026-23919"><img src="https://tridentstack.com/cve/badge/CVE-2026-23919.svg" alt="CVE-2026-23919"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-03-25.