Znuny Vulnerability Allows Remote Cross-Site Scripting Attack

CERT-Bund has released a security advisory (WID-SEC-2026-0826) detailing a critical vulnerability in the open-source ticketing software Znuny. The vulnerability, identified with a CVSS Base Score of 6.1, allows remote, anonymous attackers to exploit a flaw to conduct Cross-Site Scripting (XSS) attacks. This affects Znuny LTS versions prior to 6.5.19 and Znuny versions prior to 7.3.1, impacting Linux and UNIX operating systems.

Organizations using affected versions of Znuny must take immediate action to mitigate this risk. It is recommended to update to the patched versions (Znuny LTS >= 6.5.19 or Znuny >= 7.3.1) as soon as possible. Failure to do so could expose systems to unauthorized data access or manipulation through XSS attacks, potentially compromising sensitive ticket information and user credentials.