CVE-2026-50591: Stored XSS in Znuny User Preferences – CVSS 5.4 Analysis & Patch Guide
Znuny, a popular open-source ticketing and service management platform, contains a stored cross-site scripting (XSS) vulnerability in its user preference settings. An authenticated attacker can inject malicious scripts into their profile preferences, which are then executed in the browsers of other users viewing that profile. This affects Znuny LTS versions before 6.5.21 and Znuny versions before 7.3.3. The vulnerability requires an attacker to have valid login credentials and user interaction (another user must visit the attacker's profile) to trigger the payload.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
In Znuny LTS before 6.5.21 and Znuny before 7.3.3, XSS can occur via stored user preferences.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-50591 is a stored XSS vulnerability (CWE-79) in Znuny's user preference functionality. The vulnerability allows authenticated users to inject unsanitized JavaScript into preference fields that persist in the application database. When other users access the affected user's profile or related interface elements, the malicious script executes in their session context with their privileges. The attack vector is network-based, requires valid authentication, and depends on user interaction. The CVSS 3.1 score of 5.4 (MEDIUM) reflects the requirement for authentication and user interaction, which constrains the practical impact despite the vulnerability's cross-site nature.
Business impact
For organizations running Znuny as their service desk or ticketing backbone, this vulnerability creates operational and trust risks. Malicious insiders or compromised user accounts can silently harvest session tokens, modify ticket data, or redirect support staff to phishing pages—all without triggering alerts. Reputational damage occurs if support staff or customers discover injected content. The vulnerability requires no special access tier, meaning any authenticated user (including low-privilege support agents) becomes a potential attack surface. Affected organizations face the need to audit user preference fields across their Znuny deployment, reset compromised sessions, and validate patch readiness before production deployment.
Affected systems
Znuny LTS (long-term support) versions prior to 6.5.21 and Znuny standard versions prior to 7.3.3 are vulnerable. Organizations should verify their exact installed version in the system configuration or admin panel. Znuny LTS users are typically on longer release cycles, so patch availability may differ from standard branch timelines. Community and commercial Znuny deployments are both affected.
Exploitability
Exploitability is moderate. An attacker must possess valid login credentials—either through social engineering, compromised accounts, or insider access. Once authenticated, injecting malicious JavaScript into user preference fields requires no special privileges or additional bypasses. However, exploitation depends on a second user (a colleague or manager) visiting the attacker's profile or preference page, which is expected behavior in most ticketing workflows but not guaranteed. The low barrier to execution for authenticated users makes this a credible insider threat and a concern for organizations with weak password policies or exposed credentials.
Remediation
Upgrade Znuny LTS installations to version 6.5.21 or later, and upgrade standard Znuny to version 7.3.3 or later. These versions include input validation and output encoding fixes for user preference fields. Organizations should plan upgrades during low-traffic windows, as ticketing system downtime can disrupt support operations. Before patching, consider disabling or restricting user preference modification via access controls if your Znuny deployment allows it. Test patches in a staging environment to confirm compatibility with custom modules or integrations.
Patch guidance
Verify your Znuny version in the admin panel (System → System Information). For Znuny LTS users on 6.0.x–6.5.20, update to 6.5.21. For standard branch users on 7.0.x–7.3.2, update to 7.3.3. Consult the official Znuny release notes and security advisories for your branch to confirm patch availability and any configuration migration steps. If you maintain custom modules that interact with user preferences, test them thoroughly post-upgrade to ensure they respect the new validation logic. Plan a staged rollout if managing multiple Znuny instances.
Detection guidance
Monitor for suspicious stored data in user preference fields (database tables related to user settings). Search application logs for unusually high rates of user preference modifications, especially by accounts with low activity history. Deploy a Web Application Firewall (WAF) rule to detect JavaScript patterns in HTTP requests targeting preference endpoints. Query your Znuny database for script tags or encoded JavaScript in preference fields—sanitized content should not contain HTML entities like `<script>`, `onerror=`, or `onclick=`. Endpoint Detection & Response (EDR) tools on staff workstations can flag unexpected script execution originating from the Znuny domain. If available, enable Znuny audit logging for preference changes and correlate with user login times.
Why prioritize this
Although the CVSS score is MEDIUM (5.4), organizational context elevates priority. Service desk systems are high-trust environments where phishing and credential theft directly compromise customer-facing operations. Insider risk is non-trivial in IT departments, and the low barrier to exploitation for any authenticated user increases likelihood. The stored nature of the XSS means a single injection can affect multiple users over time, making cleanup and forensics harder. Organizations should prioritize patching based on their user base size and the sensitivity of tickets handled; those managing financial, healthcare, or personnel data face greater risk.
Risk score, explained
The CVSS 3.1 score of 5.4 reflects a MEDIUM severity: network-accessible, low complexity, but requiring authentication and user interaction. The score appropriately penalizes exploitation for these constraints. However, the score does not account for the organizational trust level of ticketing systems or the reputational/operational impact of a compromised support desk. Security teams should apply their own risk multiplier based on the role of Znuny in their infrastructure and the sensitivity of data it processes.
Frequently asked questions
Do we need to restart Znuny after applying the patch?
Yes. Always perform a controlled restart of the Znuny service after updating code. Most package managers (apt, yum) handle this automatically, but verify in your deployment documentation. Coordinate the restart with your change control process and notify support staff of any expected downtime.
Can we detect if an attacker has already injected malicious scripts into our Znuny database?
Yes. Query the user preferences database tables for suspicious content (look for script tags, event handlers, base64-encoded payloads). Export user preference data and scan it with static analysis tools. Review Znuny's audit logs for preference modification events, especially outside normal business hours or by accounts with unusual access patterns. Your database administrator can help craft targeted queries.
Does this vulnerability affect read-only or guest accounts?
No. The vulnerability requires authentication (PR:L in the CVSS vector). Guest or anonymous users cannot inject payloads. However, any authenticated account—including low-privilege support staff—can be abused. Review your access control policies to ensure principle of least privilege is enforced.
What if we cannot patch immediately?
Implement compensating controls: disable user preference modification in your Znuny web server configuration (web server rules or Perl routing), restrict access to preference pages to specific staff roles, monitor preference change logs closely, and increase session timeout enforcement. These are temporary measures; plan a patch deployment as soon as feasible.
This analysis is provided for informational purposes to support vulnerability risk assessment and patch management. The information is based on the published CVE record and vendor guidance available as of the date of analysis. Readers should verify all patch version numbers, timelines, and availability against official Znuny security advisories and release notes before deploying patches. Organizational risk varies based on deployment configuration, data sensitivity, and user base; consult your security team and system administrators to assess applicability to your environment. No warranty is provided regarding the completeness or accuracy of this analysis. This document does not constitute professional security advice. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1