CVE-2026-50592
Description
Reflected XSS in Znuny's communication log admin view allows authenticated admins to execute arbitrary JavaScript via crafted URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Znuny's communication log admin view allows authenticated admins to execute arbitrary JavaScript via crafted URLs.
Vulnerability
A reflected Cross-Site Scripting (XSS) vulnerability exists in the communication log administration view (AdminCommunicationLog) in Znuny LTS versions before 6.5.21 and Znuny versions before 7.3.3. URL parameters were rendered into the page output without proper escaping, enabling the injection of arbitrary JavaScript through a crafted URL [1].
Exploitation
An attacker needs to trick an authenticated administrator into visiting a specially crafted URL. Once the administrator opens this URL, the injected JavaScript payload will execute within the administrator's browser, leveraging their existing session's security context [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an authenticated administrator's session. This could lead to various malicious actions, such as session hijacking, data theft, or further compromise of the Znuny instance, depending on the administrator's privileges [1].
Mitigation
This vulnerability is fixed in Znuny LTS 6.5.21 and Znuny 7.3.3. Users are advised to update to these versions or later to address the issue [1].
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.