Upstream information
Description
A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.SUSE information
Overall state of this security issue: Does not affect SUSE products
SUSE Bugzilla entry: 1260433 [RESOLVED / INVALID] No SUSE Security Announcements cross referenced.SUSE Timeline for this CVE
CVE page created: Tue Mar 24 22:00:28 2026CVE page last modified: Fri May 8 12:08:46 2026