Skip to main content

Znuny EUVDEUVD-2026-34783

| CVE-2026-50592 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-05 mitre GHSA-fjc3-384j-842g
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 05, 2026 - 04:16 EUVD
Analysis Generated
Jun 05, 2026 - 03:20 vuln.today

DescriptionCVE.org

In Znuny LTS before 6.5.21 and Znuny before 7.3.3, there is reflected XSS in

AdminCommunicationLog (aka the communication log administration view).

AnalysisAI

Reflected cross-site scripting in Znuny's AdminCommunicationLog (communication log administration view) allows a low-privileged authenticated attacker to inject arbitrary JavaScript that executes in the context of other users' browsers, with changed scope indicating impact beyond the vulnerable component itself. Affected releases are Znuny LTS before 6.5.21 and Znuny before 7.3.3. No public exploit identified at time of analysis and this CVE does not appear in CISA KEV, though the low-complexity, network-accessible attack vector and changed scope elevate practical concern for deployments with untrusted low-privilege users.

Technical ContextAI

Znuny is an open-source ITSM and helpdesk platform forked from OTRS. The AdminCommunicationLog module handles the administration view for communication (email, chat) logging and is accessible to authenticated users with appropriate roles. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that user-supplied input - likely a URL parameter or form field rendered in the admin view - is reflected back into the HTML response without adequate encoding or sanitization. The affected CPE is cpe:2.3:a:znuny:znuny:*:*:*:*:*:*:*:*, covering the Znuny application broadly across both LTS (6.x) and mainline (7.x) release tracks. The CVSS scope-change flag (S:C) reflects that a successful XSS payload can affect the browser session of a victim who is potentially more privileged than the attacker, crossing a security boundary.

RemediationAI

Upgrade Znuny LTS installations to version 6.5.21 or later, and Znuny mainline installations to version 7.3.3 or later, per the vendor advisory at https://www.znuny.org/en/advisories/zsa-2026-10. If immediate patching is not feasible, restrict access to the AdminCommunicationLog view by tightening Znuny role/group permissions so that only fully trusted administrators can access communication log administration - this reduces the attack surface by limiting which low-privilege accounts can reach the vulnerable endpoint. Additionally, consider enforcing HTTP response security headers (Content-Security-Policy restricting inline script execution) at the web server or reverse proxy layer as a defense-in-depth measure; note that CSP configuration may require tuning to avoid breaking legitimate Znuny UI functionality. No patch version discrepancy between mainline and LTS was identified from available data.

More in Znuny

View all
CVE-2025-26845 CRITICAL
9.8 May 08

An Eval Injection issue was discovered in Znuny through 7.1.3. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2025-26846 CRITICAL
9.8 May 12

An issue was discovered in Znuny before 7.1.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2025-26844 CRITICAL
9.8 May 08

An issue was discovered in Znuny through 7.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2024-32491 CRITICAL
9.8 Apr 29

An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in use

CVE-2024-32493 HIGH
8.8 Apr 29

An issue was discovered in Znuny LTS 6.5.1 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in agent is able

CVE-2025-26847 HIGH
7.5 May 08

An issue was discovered in Znuny before 7.1.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitabl

CVE-2025-26842 HIGH
7.5 May 08

An issue was discovered in Znuny through 7.1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab

CVE-2024-48938 HIGH
7.5 Oct 11

Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Rated high severity (CVSS 7.5

CVE-2024-32492 HIGH
7.1 Apr 29

An issue was discovered in Znuny 7.0.1 through 7.0.16 where the ticket detail view in the customer front allows the exec

CVE-2025-43926 MEDIUM
6.1 May 08

An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Rated medium severity (CVSS 6.1), this vulnerabil

CVE-2024-48937 MEDIUM
6.1 Oct 11

Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows XSS. Rated medium severity (CVSS 6.1), this vulner

CVE-2026-50591 MEDIUM
5.4 Jun 05

Stored cross-site scripting in Znuny's user preferences mechanism allows an authenticated low-privileged attacker to inj

Share

EUVD-2026-34783 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy