The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution.
Credits
This vulnerability is reported in HackerOne bounty hunter platform by Philippe Antoine (catenacyber)