CVE-2026-50592: Reflected XSS in Znuny AdminCommunicationLog
Znuny, a widely-used open-source helpdesk and ticketing platform, contains a reflected cross-site scripting (XSS) vulnerability in its administrative communication log interface. An authenticated attacker with login credentials can craft a malicious URL containing injected JavaScript that executes in the browser of another administrator viewing the communication logs. This could allow credential theft, session hijacking, or other actions performed on behalf of the compromised administrator. The vulnerability affects Znuny LTS versions before 6.5.21 and Znuny versions before 7.3.3.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
In Znuny LTS before 6.5.21 and Znuny before 7.3.3, there is reflected XSS in AdminCommunicationLog (aka the communication log administration view).
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-50592 is a reflected XSS flaw (CWE-79) residing in the AdminCommunicationLog component of Znuny. The vulnerability stems from insufficient input sanitization or output encoding when rendering user-supplied data in the communication log administration view. Because exploitation requires authentication and does not mandate user interaction from the victim (the attacker's payload executes when the admin simply views a crafted link), the attack surface is moderately broad within organizations running vulnerable Znuny instances. The CVSS 3.1 score of 6.4 (MEDIUM) reflects the requirement for prior authentication and the limited scope of impact—confidentiality and integrity are compromised, but availability is not directly affected.
Business impact
This vulnerability poses a risk to organizations relying on Znuny for support ticket management. A successful attack could compromise administrator accounts, leading to unauthorized access to sensitive customer communications, ticket data, or system configurations stored within the helpdesk. Attackers could also pivot to inject malicious content, modify ticket histories, or escalate privileges within the Znuny instance. The damage is particularly acute if Znuny is integrated with other systems or houses personally identifiable information (PII) from customers. Organizations should treat this as a priority for patching, especially if their Znuny deployment is internet-facing or accessed by administrators from external networks.
Affected systems
Znuny LTS before version 6.5.21 and Znuny before version 7.3.3 are affected. Organizations running these versions should audit their deployments immediately. Znuny's modular architecture means that only the AdminCommunicationLog view is vulnerable; other modules and features remain unaffected. Verify your installed version via the Znuny administration interface or system console.
Exploitability
Exploitation requires valid Znuny administrator credentials, which limits the attack to insider threats or accounts compromised through phishing or credential reuse. An attacker would craft a URL containing the malicious XSS payload and trick or socially engineer an administrator into clicking it, or inject it into a communication log entry that an admin will view. The reflected nature of the vulnerability means the payload is not stored; it executes only when the specific crafted URL is visited. This reduces widespread impact but does not eliminate risk in targeted attacks against high-value administrators. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no weaponized exploit or in-the-wild campaigns have been documented at publication time.
Remediation
Upgrade Znuny LTS to version 6.5.21 or later, or upgrade Znuny to version 7.3.3 or later. These patched versions contain fixes for the XSS vulnerability in the AdminCommunicationLog interface. Verify the patch version against official Znuny release notes before deployment. If immediate patching is not feasible, restrict administrative access to trusted networks via firewall rules or VPN, and educate administrators about the risks of clicking suspicious links within the Znuny interface.
Patch guidance
1. Review the official Znuny security advisory and release notes for version 6.5.21 (LTS) or 7.3.3 (current branch) to confirm the fix. 2. Test the patched version in a non-production environment to verify compatibility with your current configuration, plugins, and integrations. 3. Plan a maintenance window for patching, as Znuny updates typically require a service restart. 4. Back up your database and configuration files before applying the patch. 5. After patching, verify the AdminCommunicationLog interface loads correctly and test basic communication log functionality. 6. Document the patch application in your change management system.
Detection guidance
Monitor your Znuny logs and web server access logs for suspicious URLs or patterns in the AdminCommunicationLog parameters. Look for encoded JavaScript, script tags, or event handlers (e.g., 'onerror=', 'onload=', 'onclick=') in query parameters or POST data related to communication log views. Implement Web Application Firewall (WAF) rules to block requests containing common XSS payloads targeting the vulnerable parameter. Track successful logins followed by unusual administrative actions as a secondary indicator. Consider deploying browser-based security headers (Content-Security-Policy) to mitigate XSS impact, though this should not be relied upon as the primary fix.
Why prioritize this
Although the CVSS score is MEDIUM (6.4), this vulnerability should be prioritized for patching because it affects a critical administrative function in a customer-facing system. Compromise of administrator accounts can lead to data exfiltration, service disruption, and reputational damage. The low barrier to entry (social engineering an admin into clicking a link) and the lack of user interaction required from the victim make it attractive to motivated attackers. Organizations handling sensitive customer data should treat this as a near-term patch candidate, ideally within 30 days.
Risk score, explained
The CVSS 3.1 score of 6.4 reflects: (1) Network-accessible vector (AV:N) — the vulnerability is exploitable remotely via web browsers; (2) Low attack complexity (AC:L) — no special techniques or conditions are required; (3) Low privilege requirement (PR:L) — attacker must be authenticated, reducing the pool of potential attackers; (4) No user interaction needed from the victim (UI:N) — the admin simply views the malicious URL; (5) Changed scope (S:C) — the vulnerability can affect resources beyond the vulnerable component; (6) Low confidentiality and integrity impact (C:L, I:L) — sensitive data and system state can be compromised, but not destroyed; (7) No availability impact (A:N) — the system remains operational. The MEDIUM severity places it in the middle of the risk spectrum, below critical and high-severity vulns but above low-severity issues.
Frequently asked questions
Do I need to restart Znuny after patching?
Most Znuny patches, including security fixes, require a service restart to take effect. Check the official patch release notes to confirm restart requirements for your specific version. Plan maintenance accordingly and test in a non-production environment first.
Can this vulnerability be exploited without administrator access?
No. The vulnerability requires valid administrator credentials to access the communication log view. However, if an administrator's account is compromised through phishing, password reuse, or credential stuffing, the attacker can then leverage this XSS to further compromise the system or pivot to other targets.
What happens if an attacker successfully exploits this XSS?
An attacker could steal the administrator's session token, impersonate the admin, read or modify ticket data, extract customer PII, change system configurations, or inject malicious content into the helpdesk. The impact depends on the scope of data in Znuny and downstream integrations.
Is there a workaround if I cannot patch immediately?
Temporary mitigations include: (1) restricting administrator access to internal networks only via firewall rules; (2) implementing a Web Application Firewall with rules to block XSS payloads; (3) enforcing multi-factor authentication for admin accounts to reduce the impact of credential compromise; (4) educating administrators to avoid clicking suspicious links. These are not substitutes for patching and should be treated as interim measures only.
This analysis is provided for informational purposes and does not constitute professional security advice. Patch version numbers and details should be verified against official Znuny security advisories and release notes before deployment. No exploit code or weaponized proof-of-concept is included or recommended. Organizations should conduct their own risk assessment and testing in non-production environments. The absence of this vulnerability from the CISA KEV catalog does not guarantee the absence of exploitation in the wild; active threat monitoring is recommended. This vulnerability intelligence is current as of the publication date but may be subject to updates as new information emerges. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1