CVE-2026-34718
Stored XSS via Improper HTML Sanitization in Zammad Tickets
Publication date: 2026-04-08
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zammad | zammad | 7.0.0 |
| zammad | zammad | to 6.5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34718 is a moderate severity vulnerability affecting Zammad versions up to 7.0.0. It arises from improper sanitization of data URI schemes in ticket articles by the HTML sanitizer, allowing malicious script-related HTML tags to be stored in the Zammad database.
Although the Zammad GUI renders this malicious content, Content Security Policy (CSP) rules prevent exploitation through user interaction such as clicking malicious links.
The vulnerability is classified as CWE-80, meaning improper neutralization of script-related HTML tags in a web page, commonly known as Cross-Site Scripting (XSS). It occurs because special characters like <, >, and & are not properly neutralized.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to inject malicious script-related HTML content into ticket articles without requiring any privileges or user interaction.
The impact on the system is low integrity compromise, meaning unauthorized modification of system data is possible.
There is no impact on confidentiality or availability of the system, and the existing Content Security Policy (CSP) helps mitigate exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper sanitization of script-related HTML tags and data URI schemes in ticket articles stored in the Zammad database. Detection would involve inspecting ticket article contents for malicious script-related HTML tags or data URI schemes that should have been sanitized.
Since the vulnerability is related to stored content in the Zammad database, detection can be performed by querying the database for ticket articles containing suspicious HTML tags or data URI schemes.
No specific commands are provided in the available resources, but a general approach could be to run database queries searching for patterns like <script>, javascript:, or data: URI schemes within ticket article fields.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Zammad to version 7.0.1 or 6.5.4 or later, where the vulnerability has been fixed by properly sanitizing the HTML content in ticket articles.
Additionally, the existing Content Security Policy (CSP) rules in Zammad help prevent exploitation by blocking malicious script execution in the GUI, so ensuring CSP is properly configured and enforced is important.
Until the upgrade is applied, monitor and review ticket articles for suspicious content and consider manual sanitization or removal of potentially malicious entries.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows injection of malicious script-related HTML content into ticket articles, potentially compromising data integrity but not confidentiality or availability.
Since confidentiality is not impacted and the Content Security Policy (CSP) prevents exploitation through user interaction, the risk to sensitive personal data protected under regulations like GDPR or HIPAA is limited.
However, any compromise of data integrity in a helpdesk system could still pose compliance concerns depending on the nature of the data handled and organizational policies.