HTML Sanitization Flaw in Zammad Helpdesk Software
CVE-2026-34718

5.3MEDIUM

Key Information:

Vendor: Zammad
Status: Zammad
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-34718?

Zammad, an open-source helpdesk and customer support system, contains an HTML sanitization flaw affecting versions prior to 7.0.1 and 6.5.4. This vulnerability allows malicious content to be stored in the database due to inadequate sanitization of data within ticket articles. Although the Content Security Policy (CSP) rules help mitigate potential exploitation, the stored links could pose risks if users interact with them. Users are advised to upgrade to the latest versions to ensure protection against this type of vulnerability.

Affected Version(s)

zammad < 6.5.4 < 6.5.4

zammad >= 7.0.0-alpha, < 7.0.1 < 7.0.0-alpha, 7.0.1

References

https://github.com/zammad/zammad/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34718 Data

JSON