znuny 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk cross-site scripting and vendor risk sql injection などに関し、一部は vendor impact data exposure を招き、vendor surface production workloads and vendor surface software deployment 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-50592 | In Znuny LTS before 6.5.21 and Znuny before 7.3.3, there is reflected XSS in AdminCommunicationLog (aka the communication log administration view). | [email protected] | 6.4 | 0.15% | 2026-06-04 | 2026-06-17 |
| CVE-2026-50591 | In Znuny LTS before 6.5.21 and Znuny before 7.3.3, XSS can occur via stored user preferences. | [email protected] | 5.4 | 0.13% | 2026-06-04 | 2026-06-17 |
| CVE-2025-26846 | An issue was discovered in Znuny before 7.1.4. Permissions are not checked properly when using the Generic Interface to update ticket metadata. | [email protected] | 9.8 | 0.40% | 2025-05-12 | 2026-06-17 |
| CVE-2025-26847 | An issue was discovered in Znuny before 7.1.5. When generating a support bundle, not all passwords are masked. | [email protected] | 7.5 | 0.34% | 2025-05-08 | 2026-06-17 |
| CVE-2025-26845 | An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script. | [email protected] | 9.8 | 0.41% | 2025-05-08 | 2026-06-17 |
| CVE-2025-43926 | An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferences with arbitrary keys. When fetching user data via GetUserData, these keys and values are retrieved and given as a whole to other function calls, which then might use these keys/values to affect permissions or other settings. | [email protected] | 6.1 | 0.20% | 2025-05-08 | 2026-06-17 |
| CVE-2025-26844 | An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag. | [email protected] | 9.8 | 0.37% | 2025-05-08 | 2026-06-17 |
| CVE-2025-26842 | An issue was discovered in Znuny through 7.1.3. If access to a ticket is not given, the content of S/MIME encrypted e-mail messages is visible to users with access to the CommunicationLog. | [email protected] | 7.5 | 0.29% | 2025-05-08 | 2026-06-17 |
| CVE-2024-48938 | Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Parsing the content of emails where HTML code is copied from Microsoft Word could lead to high CPU usage and block the parsing process. | [email protected] | 7.5 | 0.57% | 2024-10-11 | 2026-06-17 |
| CVE-2024-48937 | Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows XSS. JavaScript code in the short description of the SLA field in Activity Dialogues is executed. | [email protected] | 6.1 | 0.36% | 2024-10-11 | 2026-06-17 |
| CVE-2024-32493 | An issue was discovered in Znuny LTS 6.5.1 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in agent is able to inject SQL in the draft form ID parameter of an AJAX request. | [email protected] | 8.8 | 0.71% | 2024-04-29 | 2026-06-17 |
| CVE-2024-32492 | An issue was discovered in Znuny 7.0.1 through 7.0.16 where the ticket detail view in the customer front allows the execution of external JavaScript. | [email protected] | 7.1 | 0.53% | 2024-04-29 | 2026-06-17 |
| CVE-2024-32491 | An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable location by traversing paths. Arbitrary code can be executed if this location is publicly available through the web server. | [email protected] | 9.8 | 0.72% | 2024-04-29 | 2026-06-17 |