Server-Side Template Injection in Zammad Helpdesk System
CVE-2026-34724

8.7HIGH

Key Information:

Vendor: Zammad
Status: Zammad
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-34724?

Zammad, a well-known open-source helpdesk and customer support system, is affected by a server-side template injection flaw. This vulnerability permits an attacker to execute remote code when they can manipulate the type_enrichment_data, typically found in high-privilege administrative configurations. The risk is significant as it can allow unauthorized control over the system. Users of Zammad should upgrade to version 7.0.1 or later to mitigate this risk.

Affected Version(s)

zammad >= 7.0.0, < 7.0.1

References

https://github.com/zammad/zammad/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34724 Data

JSON