Skip to main content

Zammad EUVDEUVD-2026-20558

| CVE-2026-34718 MEDIUM
Basic XSS (CWE-80)
2026-04-08 GitHub_M
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
7.0.1,6.5.4
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20558
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 18:01 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the HTML sanitizer for ticket articles was missing proper sanitization of data: ... URI schemes, resulting in storing such malicious content in the database of the Zammad instance. The Zammad GUI is rendering this content, due to applied CSP rules no harm was done by e.g., clicking such a link. This vulnerability is fixed in 7.0.1 and 6.5.4.

AnalysisAI

Improper HTML sanitization in Zammad ticket article processing prior to versions 7.0.1 and 6.5.4 allows unauthenticated remote attackers to inject malicious data URI schemes that persist in the database, potentially enabling stored cross-site scripting (XSS) attacks. While current Content Security Policy mitigations prevent immediate harm from link clicks, the vulnerability represents a persistent data integrity issue and stored XSS vector that could be exploited if CSP rules are modified or bypassed. No public exploit code has been identified, but the vulnerability affects all instances running unpatched versions.

Technical ContextAI

Zammad is an open-source web-based helpdesk system that processes and stores user-submitted ticket articles in an HTML format. The vulnerability stems from CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) in the HTML sanitizer component responsible for cleaning ticket article input before storage. The sanitizer failed to properly filter malicious data URI schemes (such as data:text/html,<script>alert(1)</script>) which are then rendered by the Zammad GUI when displaying stored ticket content. While the application's Content Security Policy provides a secondary defense layer preventing script execution on click, the root cause is insufficient input validation and sanitization at the storage layer, allowing malicious content to persist in the database where it could be exploited if CSP enforcement is weakened or if alternative rendering contexts bypass the CSP restrictions.

RemediationAI

Upgrade Zammad to version 7.0.1 or 6.5.4 or later, which include corrected HTML sanitization logic for ticket articles. Organizations unable to upgrade immediately should apply the Content Security Policy as a temporary mitigation, ensuring that script-src, object-src, and data URI policies are strictly enforced (the existing CSP in current Zammad deployments should already provide some protection). Administrators should audit existing ticket articles for suspicious data URI patterns or JavaScript in article content using database queries to identify any injected payloads. The official advisory and patch information are available at https://github.com/zammad/zammad/security/advisories/GHSA-c2cf-9fc7-jhf3.

More in Zammad

View all
CVE-2017-5619 CRITICAL
9.8 Mar 13

An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Rated critical severity (CVS

CVE-2017-6080 CRITICAL
9.8 Mar 13

An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protecti

CVE-2022-35490 CRITICAL
9.8 Aug 08

Zammad 5.2.0 is vulnerable to privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely e

CVE-2021-42090 CRITICAL
9.8 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2021-42094 CRITICAL
9.8 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2020-26030 CRITICAL
9.8 Dec 28

An issue was discovered in Zammad before 3.4.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2024-33668 CRITICAL
9.1 Apr 26

An issue was discovered in Zammad before 6.3.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely explo

CVE-2022-27332 CRITICAL
9.1 Apr 27

An access control issue in Zammad v5.0.3 allows attackers to write entries to the CTI caller log without authentication.

CVE-2021-42091 CRITICAL
9.1 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely explo

CVE-2017-6081 HIGH
8.8 Mar 13

A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Rated high severity (CVS

CVE-2021-42086 HIGH
8.8 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitab

CVE-2026-34723 HIGH
8.7 Apr 08

Unauthenticated remote information disclosure in Zammad helpdesk system versions before 7.0.1 and 6.5.4 allows attackers

Share

EUVD-2026-20558 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy