Description
In Znuny LTS before 6.5.21 and Znuny before 7.3.3, there is reflected XSS in

AdminCommunicationLog (aka the communication log administration view).
Published: 2026-06-05
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Znuny LTS before 6.5.21 and Znuny before 7.3.3 the admin view for communication logs fails to escape user input, enabling a reflected XSS attack. Injected script is executed in the context of the administrative interface, potentially allowing an attacker to hijack user sessions, steal credentials, or run arbitrary code in the victim’s browser. The flaw is categorized as CWE‑79.

Affected Systems

The vulnerability applies to the Znuny ticketing system. Users who have not upgraded beyond Znuny LTS 6.5.21 or the generic Znuny 7.3.3 release are affected. Any installation running these earlier versions is at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate risk, with no EPSS score available and no listing in the CISA KEV catalog. Exploitation requires access to the administrative interface; thus an attacker must have authenticated administrative privileges or must convince a privileged user to consume a crafted link. The attack vector is therefore authenticated or social‑engineering based, and the impact occurs within the victim’s browser session.

Generated by OpenCVE AI on June 5, 2026 at 04:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Znuny to LTS 6.5.21 or Znuny 7.3.3, which provide the fixed input sanitization for the AdminCommunicationLog view.
  • If an immediate upgrade is not possible, restrict user roles so that only trusted administrators can access the AdminCommunicationLog interface.
  • Implement a strict Content Security Policy that disallows inline scripts to mitigate the XSS impact while remediation is underway.

Generated by OpenCVE AI on June 5, 2026 at 04:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS in Znuny Admin Communication Log

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description In Znuny LTS before 6.5.21 and Znuny before 7.3.3, there is reflected XSS in AdminCommunicationLog (aka the communication log administration view).
First Time appeared Znuny
Znuny znuny
Weaknesses CWE-79
CPEs cpe:2.3:a:znuny:znuny:*:*:*:*:*:*:*:*
Vendors & Products Znuny
Znuny znuny
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Znuny Znuny
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-05T18:21:36.439Z

Reserved: 2026-06-05T01:57:34.434Z

Link: CVE-2026-50592

cve-icon Vulnrichment

Updated: 2026-06-05T18:21:23.857Z

cve-icon NVD

Status : Deferred

Published: 2026-06-05T02:17:14.350

Modified: 2026-06-05T14:59:31.207

Link: CVE-2026-50592

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:45:32Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')