CVE-2026-50592
Deferred Deferred - Pending Action
Reflected XSS in Znuny LTS and Znuny AdminCommunicationLog

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: MITRE

Description
In Znuny LTS before 6.5.21 and Znuny before 7.3.3, there is reflected XSS in AdminCommunicationLog (aka the communication log administration view).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-50592
EUVD
EUVD-2026-34783
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
znuny znuny_lts to 6.5.21 (exc)
znuny znuny to 7.3.3 (exc)
znuny znuny 6.0
znuny znuny 6.1
znuny znuny 6.2
znuny znuny 6.3
znuny znuny 6.4
znuny znuny 7.0
znuny znuny 7.1
znuny znuny 7.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a reflected Cross-Site Scripting (XSS) issue found in the communication log administration view (AdminCommunicationLog) of Znuny. It occurs because URL parameters are rendered into the page output without proper escaping, which allows an attacker to inject arbitrary JavaScript code via a specially crafted URL.

When an authenticated administrator opens this crafted URL, the injected JavaScript executes in their browser within the security context of their session.

Impact Analysis

The vulnerability can lead to unauthorized execution of malicious scripts in the browser of an authenticated administrator. This can result in the attacker hijacking the administrator's session, stealing sensitive information, or performing actions on behalf of the administrator.

Detection Guidance

This vulnerability is a reflected Cross-Site Scripting (XSS) issue in the AdminCommunicationLog view of Znuny. Detection typically involves identifying if crafted URLs with malicious JavaScript payloads are being accessed or logged.

Since the vulnerability involves URL parameters being rendered without proper escaping, you can monitor web server logs or proxy logs for suspicious URLs containing JavaScript or typical XSS payload patterns targeting the AdminCommunicationLog endpoint.

Specific commands depend on your environment, but examples include using grep or similar tools to search logs for suspicious patterns. For example:

  • grep -iE "<script|javascript:|onerror=|onload=" /path/to/your/webserver/access.log
  • grep 'AdminCommunicationLog' /path/to/your/webserver/access.log | grep -iE "<script|javascript:"

Additionally, you can use web vulnerability scanners that support reflected XSS detection against the AdminCommunicationLog URL to identify if the vulnerability is present.

Mitigation Strategies

The primary mitigation is to upgrade Znuny to a fixed version: Znuny LTS 6.5.21 or later, or Znuny 7.3.3 or later.

Until you can upgrade, consider restricting access to the AdminCommunicationLog interface to trusted administrators only, and avoid clicking on suspicious or untrusted URLs that may contain malicious payloads.

Implementing web application firewall (WAF) rules to detect and block reflected XSS payloads targeting the AdminCommunicationLog endpoint can also help reduce risk.

Compliance Impact

The provided information does not specify how the reflected XSS vulnerability in Znuny affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50592. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart