CVE-2026-34718
Zammad improperly neutralizes of script-related HTML tags in ticket articles
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the HTML sanitizer for ticket articles was missing proper sanitization of data: ... URI schemes, resulting in storing such malicious content in the database of the Zammad instance. The Zammad GUI is rendering this content, due to applied CSP rules no harm was done by e.g., clicking such a link. This vulnerability is fixed in 7.0.1 and 6.5.4.
| CWE | CWE-80 |
| Vendor | zammad |
| Product | zammad |
| Published | Apr 8, 2026 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for zammad zammad
Be the first to know when new unknown vulnerabilities affecting zammad zammad are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
zammad / zammad
< 6.5.4 >= 7.0.0-alpha, < 7.0.1