anonhaven
Ad

CVE-2026-34724

HIGH CVSS 4.0: 8.7 EPSS 0.06%
Updated Apr 17, 2026
Zammad
Parameter Value
CVSS 8.7 (HIGH)
Fixed In 7.0.1
Type CWE-1336 (Template Injection), CWE-94 (Code Injection)
Vendor Zammad
Public PoC No

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, a server-side template injection vulnerability which leads to RCE via AI Agent exists. Impact is limited to environments where an attacker can control or influence type_enrichment_data (typically high-privilege administrative configuration).

This vulnerability is fixed in 7.0.1.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
High
Admin privileges needed
User Interaction
Active
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-1336 Template Injection
CWE-94 Code Injection

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Zammad Zammad
cpe:2.3:a:zammad:zammad:7.0.0:*:*:*:*:*:*:*

References 1

https://github.com/zammad/zammad/security/advisories/GHSA-fg9w-jg8f-4j94
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-34837

Zammad

5.3

CVE-2026-34782

Zammad

5.3

CVE-2026-34723

Zammad

8.7

CVE-2026-34722

Zammad

6.9

CVE-2026-34721

Zammad

5.9