CVE-2025-49643

MEDIUM EPSS 22.1%

Published Dec 1, 20257mo ago · Modified Jun 17, 20261w ago

6.0 CVSS 4.0

Medium

Published Dec 1, 2025 7mo ago

Last Modified Jun 17, 2026 1w ago

Description

An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of service.

CVSS Details

Base Score

6.0

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Adjacent

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

22.1% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-405

Affected Products 4

Vendor	Product	Version	Range
zabbix	frontend	*	≥6.0.0 – <6.0.42
zabbix	frontend	*	≥7.0.0 – <7.0.19
zabbix	frontend	*	≥7.2.0 – <7.2.13
zabbix	frontend	*	≥7.4.0 – <7.4.3

References 1

support.zabbix.com https://support.zabbix.com/browse/ZBX-27284

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.