Description
In Znuny LTS before 6.5.21 and Znuny before 7.3.3, XSS can occur via stored user preferences.
Published: 2026-06-05
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Znuny LTS before 6.5.21 and Znuny before 7.3.3, a stored cross‑site scripting flaw exists via user preferences, identified as CWE‑79. The vulnerability permits malicious code to be stored in preference fields that are rendered without sanitization, allowing it to execute in a user’s browser when the preference is accessed. This can lead to session hijacking, credential theft, or other malicious actions performed in the context of the victim’s browser.

Affected Systems

This flaw affects Znuny LTS releases prior to 6.5.21 and Znuny core releases prior to 7.3.3. Users running these versions should verify that their deployment does not include the vulnerable preferences handling code.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. No EPSS value is available and the flaw is not listed in CISA KEV, suggesting limited public exploitation. Likely attack requires an attacker to alter a user’s preference entry, which may demand legitimate account access or a user action that accepts input. Once the malicious payload is stored, any user loading that preference will be affected; the absence of a public exploit reduces immediate risk, but mitigation remains prudent.

Generated by OpenCVE AI on June 5, 2026 at 04:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Znuny to at least LTS 6.5.21 or core 7.3.3
  • Sanitize stored user preference data so that any embedded script tags are escaped or removed
  • Restrict permission for editing user preferences to privileged accounts or enforce input validation before saving preferences

Generated by OpenCVE AI on June 5, 2026 at 04:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Title Stored XSS via User Preferences in Znuny

Fri, 05 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description IN Znuny LTS before 6.5.21 and Znuny before 7.3.3, XSS can occur via stored user preferences. In Znuny LTS before 6.5.21 and Znuny before 7.3.3, XSS can occur via stored user preferences.

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description IN Znuny LTS before 6.5.21 and Znuny before 7.3.3, XSS can occur via stored user preferences.
First Time appeared Znuny
Znuny znuny
Weaknesses CWE-79
CPEs cpe:2.3:a:znuny:znuny:*:*:*:*:*:*:*:*
Vendors & Products Znuny
Znuny znuny
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Znuny Znuny
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-05T02:21:03.777Z

Reserved: 2026-06-05T01:51:59.602Z

Link: CVE-2026-50591

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T02:17:14.187

Modified: 2026-06-05T04:17:06.047

Link: CVE-2026-50591

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T04:45:32Z

Weaknesses