Description
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the HTML sanitizer for ticket articles was missing proper sanitization of data: ... URI schemes, resulting in storing such malicious content in the database of the Zammad instance. The Zammad GUI is rendering this content, due to applied CSP rules no harm was done by e.g., clicking such a link. This vulnerability is fixed in 7.0.1 and 6.5.4.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS via unsanitized ticket articles
Action: Patch
AI Analysis

Impact

Zammad versions before 7.0.1 and 6.5.4 fail to properly neutralize script‑related HTML tags in ticket articles, allowing storage of malicious content in the database. When rendered in the GUI, the content is displayed without sufficient filtering, creating a stored cross‑site scripting risk. Although the current CSP rules limit the harm of clicking links, an attacker could potentially inject scripts that run in the context of any user who views the affected ticket, leading to data theft or session hijacking.

Affected Systems

The affected product is Zammad, the web‑based helpdesk system released by the zammad project. Only installations running versions older than 7.0.1 or 6.5.4 are vulnerable; newer releases contain the fix.

Risk and Exploitability

With a CVSS score of 5.3 the vulnerability is considered moderate severity. No EPSS score is available, and it is not listed in CISA’s KEV catalog, indicating limited evidence of active exploitation. Based on the description, the likely attack vector is through the web interface: an attacker can submit malicious ticket content which is then stored and later rendered for other users. The exploitation requires the ability to create or edit ticket articles, so it is limited to users with that privilege, but within that scope the impact is significant.

Generated by OpenCVE AI on April 8, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Back up the Zammad database and configuration
  • Upgrade the Zammad installation to version 7.0.1 or 6.5.4, which contains the HTML sanitizer fix
  • Verify that ticket articles no longer accept or render unsanitized script tags
  • If upgrading immediately is not possible, restrict user permissions to prevent ticket article creation until a patch is applied

Generated by OpenCVE AI on April 8, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Zammad
Zammad zammad
Vendors & Products Zammad
Zammad zammad
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the HTML sanitizer for ticket articles was missing proper sanitization of data: ... URI schemes, resulting in storing such malicious content in the database of the Zammad instance. The Zammad GUI is rendering this content, due to applied CSP rules no harm was done by e.g., clicking such a link. This vulnerability is fixed in 7.0.1 and 6.5.4.
Title Zammad improperly neutralizes of script-related HTML tags in ticket articles
Weaknesses CWE-80
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Zammad Zammad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T19:51:19.873Z

Reserved: 2026-03-30T18:41:20.753Z

Link: CVE-2026-34718

cve-icon Vulnrichment

Updated: 2026-04-08T19:51:16.478Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T19:25:21.863

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-34718

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:12:41Z

Weaknesses