Executive Summary

CVE-2026-34718 is a moderate severity vulnerability affecting Zammad versions up to 7.0.0. It arises from improper sanitization of data URI schemes in ticket articles by the HTML sanitizer, allowing malicious script-related HTML tags to be stored in the Zammad database.

Although the Zammad GUI renders this malicious content, Content Security Policy (CSP) rules prevent exploitation through user interaction such as clicking malicious links.

The vulnerability is classified as CWE-80, meaning improper neutralization of script-related HTML tags in a web page, commonly known as Cross-Site Scripting (XSS). It occurs because special characters like <, >, and & are not properly neutralized.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows remote attackers to inject malicious script-related HTML content into ticket articles without requiring any privileges or user interaction.

The impact on the system is low integrity compromise, meaning unauthorized modification of system data is possible.

There is no impact on confidentiality or availability of the system, and the existing Content Security Policy (CSP) helps mitigate exploitation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves improper sanitization of script-related HTML tags and data URI schemes in ticket articles stored in the Zammad database. Detection would involve inspecting ticket article contents for malicious script-related HTML tags or data URI schemes that should have been sanitized.

Since the vulnerability is related to stored content in the Zammad database, detection can be performed by querying the database for ticket articles containing suspicious HTML tags or data URI schemes.

No specific commands are provided in the available resources, but a general approach could be to run database queries searching for patterns like <script>, javascript:, or data: URI schemes within ticket article fields.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Zammad to version 7.0.1 or 6.5.4 or later, where the vulnerability has been fixed by properly sanitizing the HTML content in ticket articles.

Additionally, the existing Content Security Policy (CSP) rules in Zammad help prevent exploitation by blocking malicious script execution in the GUI, so ensuring CSP is properly configured and enforced is important.

Until the upgrade is applied, monitor and review ticket articles for suspicious content and consider manual sanitization or removal of potentially malicious entries.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows injection of malicious script-related HTML content into ticket articles, potentially compromising data integrity but not confidentiality or availability.

Since confidentiality is not impacted and the Content Security Policy (CSP) prevents exploitation through user interaction, the risk to sensitive personal data protected under regulations like GDPR or HIPAA is limited.

However, any compromise of data integrity in a helpdesk system could still pose compliance concerns depending on the nature of the data handled and organizational policies.

Useful 0 Not Useful 0