Security Advisory
ZAA-2025-06
· Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!
Security Advisory Details
- ID: ZAA-2025-06
- Date: 2025-08-13
- Title: HTML Injection
- Severity: low
- Product: Zammad 6.5.x
- Fixed in: Zammad 6.5.1
- References:
--> pending CVE assignment
Vulnerability Descriptions
HTML Injection
Several parts of the Zammad front end did not correctly perform HTML escaping when outputting data. This could lead to HTML injection happening in the browser. The execution of JavaScript code was correctly prevented by content security policy information, however.
Special 🙏 and 🤘 and ❤️ to:
- N: Florian Hoff
- C: Cogiceo
- W: https://www.cogiceo.com/
Recommended Resolution
This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.
Fixed releases can be found at:
Or just update your Zammad if installed via OS package manager.
Additional information
Online version of this advisory: https://zammad.com/en/advisories/zaa-2025-06
Please see our security policy and send remarks on security issues exclusively to security@zammad.com.