Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
In Znuny LTS before 6.5.21 and Znuny before 7.3.3, there is reflected XSS in
AdminCommunicationLog (aka the communication log administration view).
AnalysisAI
Reflected cross-site scripting in Znuny's AdminCommunicationLog (communication log administration view) allows a low-privileged authenticated attacker to inject arbitrary JavaScript that executes in the context of other users' browsers, with changed scope indicating impact beyond the vulnerable component itself. Affected releases are Znuny LTS before 6.5.21 and Znuny before 7.3.3. No public exploit identified at time of analysis and this CVE does not appear in CISA KEV, though the low-complexity, network-accessible attack vector and changed scope elevate practical concern for deployments with untrusted low-privilege users.
Technical ContextAI
Znuny is an open-source ITSM and helpdesk platform forked from OTRS. The AdminCommunicationLog module handles the administration view for communication (email, chat) logging and is accessible to authenticated users with appropriate roles. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that user-supplied input - likely a URL parameter or form field rendered in the admin view - is reflected back into the HTML response without adequate encoding or sanitization. The affected CPE is cpe:2.3:a:znuny:znuny:*:*:*:*:*:*:*:*, covering the Znuny application broadly across both LTS (6.x) and mainline (7.x) release tracks. The CVSS scope-change flag (S:C) reflects that a successful XSS payload can affect the browser session of a victim who is potentially more privileged than the attacker, crossing a security boundary.
RemediationAI
Upgrade Znuny LTS installations to version 6.5.21 or later, and Znuny mainline installations to version 7.3.3 or later, per the vendor advisory at https://www.znuny.org/en/advisories/zsa-2026-10. If immediate patching is not feasible, restrict access to the AdminCommunicationLog view by tightening Znuny role/group permissions so that only fully trusted administrators can access communication log administration - this reduces the attack surface by limiting which low-privilege accounts can reach the vulnerable endpoint. Additionally, consider enforcing HTTP response security headers (Content-Security-Policy restricting inline script execution) at the web server or reverse proxy layer as a defense-in-depth measure; note that CSP configuration may require tuning to avoid breaking legitimate Znuny UI functionality. No patch version discrepancy between mainline and LTS was identified from available data.
An Eval Injection issue was discovered in Znuny through 7.1.3. Rated critical severity (CVSS 9.8), this vulnerability is
An issue was discovered in Znuny before 7.1.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi
An issue was discovered in Znuny through 7.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo
An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in use
An issue was discovered in Znuny LTS 6.5.1 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in agent is able
An issue was discovered in Znuny before 7.1.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitabl
An issue was discovered in Znuny through 7.1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab
Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Rated high severity (CVSS 7.5
An issue was discovered in Znuny 7.0.1 through 7.0.16 where the ticket detail view in the customer front allows the exec
An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Rated medium severity (CVSS 6.1), this vulnerabil
Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows XSS. Rated medium severity (CVSS 6.1), this vulner
Stored cross-site scripting in Znuny's user preferences mechanism allows an authenticated low-privileged attacker to inj
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34783
GHSA-fjc3-384j-842g