Zammad 5.2.0 suffers from Incorrect Access Control. Zammad did not correctly perform authorization on certain attachment endpoints. This could be abused by an unauthenticated attacker to gain access to attachments, such as emails or attached files.
Conclusion & alert: CVE-2022-35487 is rated Moderate Risk (46/100): CVSS High severity, with low exploitation likelihood (EPSS 0.65%).Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
Exploit prediction scoring system (EPSS) score for CVE-2022-35487
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).