Hi,

The following vulnerabilities were published for zabbix.

Choosed RC level severity as this should be fixed for forky.

CVE-2026-23926[0]:
| An authenticated (non-super) administrator can create a maintenance
| period with a JavaScript payload that is executed by any user that
| opens tooltip for that maintenance period in the Host navigator
| widget. This can allow the attacker to perform unauthorized actions
| depending on which user opens the tooltip.


CVE-2026-23927[1]:
| A user able to connect to Agent 2 can inject an Oracle TNS
| connection string via the 'service' parameter. This can lead to
| Agent 2 connecting to an attacker-controlled server and leaking
| Oracle database credentials if they are saved in a named session.


CVE-2026-23928[2]:
| The Item history widget (in Zabbix 7.0+) or the Plain text widget
| (in Zabbix 6.0) can execute injected JavaScript when HTML display is
| enabled. This can allow an attacker to perform unauthorized actions
| depending on which user opens a dashboard containing these widgets.
| The malicious JavaScript would have to come from a monitored host
| controlled by the attacker. Note: the Item history widget is a
| replacement for the Plain text widget since Zabbix 7.0.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-23926
https://www.cve.org/CVERecord?id=CVE-2026-23926
[1] https://security-tracker.debian.org/tracker/CVE-2026-23927
https://www.cve.org/CVERecord?id=CVE-2026-23927
[2] https://security-tracker.debian.org/tracker/CVE-2026-23928
https://www.cve.org/CVERecord?id=CVE-2026-23928

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore