PT-2026-31415 · Zammad · Zammad
Published
2026-04-08
·
Updated
2026-04-09
·
CVE-2026-34718
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Zammad versions prior to 7.0.1 and prior to 6.5.4
Description
Zammad, a web-based open-source helpdesk system, had an issue in its HTML sanitizer for ticket articles. The sanitizer lacked proper sanitization of URI schemes, allowing malicious content to be stored in the Zammad instance's database. While the Zammad GUI renders this content, the Content Security Policy (CSP) rules prevented harm from actions like clicking malicious links.
Recommendations
Update to Zammad version 7.0.1 or later.
Update to Zammad version 6.5.4 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zammad