znuny CVE Vulnerabilities & Metrics

Focus on znuny vulnerabilities and metrics.

Last updated: 29 Jun 2025, 22:25 UTC

About znuny Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with znuny. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total znuny CVEs: 8
Earliest CVE date: 11 Oct 2024, 21:15 UTC
Latest CVE date: 12 May 2025, 15:15 UTC

Latest CVE reference: CVE-2025-26846

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 8

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical znuny CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.0

Max CVSS: 0

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	8
4.0-6.9	0
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS znuny CVEs

These are the five CVEs with the highest CVSS scores for znuny, sorted by severity first and recency.

CVE-2025-26846 znuny Published on 12 May 2025, 15:15 UTC (CVSS: 0)
An issue was discovered in Znuny before 7.1.4. Permissions are not checked properly when using the Generic Interface to update ticket metadata.
CVE-2025-26847 znuny Published on 08 May 2025, 17:16 UTC (CVSS: 0)
An issue was discovered in Znuny before 7.1.5. When generating a support bundle, not all passwords are masked.
CVE-2025-26845 znuny Published on 08 May 2025, 17:16 UTC (CVSS: 0)
An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script.
CVE-2025-43926 znuny Published on 08 May 2025, 16:15 UTC (CVSS: 0)
An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferences with arbitrary keys. When fetching user data via GetUserData, these keys and values are retrieved and given as a whole to other function calls, which then might use these keys/values to affect permissions or other settings.
CVE-2025-26844 znuny Published on 08 May 2025, 16:15 UTC (CVSS: 0)
An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.

All CVEs for znuny

CVE-2025-26846 znuny vulnerability CVSS: 0 12 May 2025, 15:15 UTC

An issue was discovered in Znuny before 7.1.4. Permissions are not checked properly when using the Generic Interface to update ticket metadata.

CVE-2025-26847 znuny vulnerability CVSS: 0 08 May 2025, 17:16 UTC

An issue was discovered in Znuny before 7.1.5. When generating a support bundle, not all passwords are masked.

CVE-2025-26845 znuny vulnerability CVSS: 0 08 May 2025, 17:16 UTC

An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script.

CVE-2025-43926 znuny vulnerability CVSS: 0 08 May 2025, 16:15 UTC

An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferences with arbitrary keys. When fetching user data via GetUserData, these keys and values are retrieved and given as a whole to other function calls, which then might use these keys/values to affect permissions or other settings.

CVE-2025-26844 znuny vulnerability CVSS: 0 08 May 2025, 16:15 UTC

An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.

CVE-2025-26842 znuny vulnerability CVSS: 0 08 May 2025, 16:15 UTC

An issue was discovered in Znuny through 7.1.3. If access to a ticket is not given, the content of S/MIME encrypted e-mail messages is visible to users with access to the CommunicationLog.

CVE-2024-48938 znuny vulnerability CVSS: 0 11 Oct 2024, 21:15 UTC

Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Parsing the content of emails where HTML code is copied from Microsoft Word could lead to high CPU usage and block the parsing process.

CVE-2024-48937 znuny vulnerability CVSS: 0 11 Oct 2024, 21:15 UTC

Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows XSS. JavaScript code in the short description of the SLA field in Activity Dialogues is executed.