Hello team,
I have a Znuny system, "Latest LTS-Version (6.5.21 / 2026-05-27)", and the code is frequently being scanned for security reasons.
I've been receiving emails from the CISO department indicating that my system is vulnerable and that I need to apply remediation urgently.
What would be your recommendation?
Are these vulnerabilities present in Znuny version 7?
Could I update my system to Znuny 7 and thus patch the vulnerabilities I currently have with Znuny 6?
❌ CVE-2026-6659
Vulnerable Library - Znunyrel-7_3_2
Library home page: https://github.com/znuny/Znuny.git
Found in HEAD commit: fdff5582e0662960444df7a7d8bbe2612a4eb9a6
Found in base branch: main
Vulnerable Source Files (1)
/Kernel/cpan-lib/Crypt/PasswdMD5.pm
Vulnerability Details
Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts.
The built-in rand function is predictable, and unsuitable for cryptography.
Publish Date: 2026-05-08
URL: CVE-2026-6659
CVSS 3 Score Details (7.5)
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here.
❌ CVE-2024-32492
Vulnerable Library - Znunyrel-7_3_2
Library home page: https://github.com/znuny/Znuny.git
Found in HEAD commit: fdff5582e0662960444df7a7d8bbe2612a4eb9a6
Found in base branch: main
Vulnerable Source Files (1)
Vulnerability Details
An issue was discovered in Znuny 7.0.1 through 7.0.16 where the ticket detail view in the customer front allows the execution of external JavaScript.
Publish Date: 2024-04-29
URL: CVE-2024-32492
CVSS 3 Score Details (7.1)
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.znuny.org/en/advisories/zsa-2024-02
Release Date: 2024-04-15
Fix Resolution: rel-7_0_17
❌ CVE-2026-8368
Vulnerable Library - Znunyrel-7_3_2
Library home page: https://github.com/znuny/Znuny.git
Found in HEAD commit: fdff5582e0662960444df7a7d8bbe2612a4eb9a6
Found in base branch: main
Vulnerable Source Files (1)
/Kernel/cpan-lib/LWP/UserAgent.pm
Vulnerability Details
LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects.
On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes.
A redirect to an attacker controlled host therefore discloses the caller's credentials to that host.
Publish Date: 2026-05-12
URL: CVE-2026-8368
CVSS 3 Score Details (6.8)
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Changed
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://github.com/libwww-perl/libwww-p ... 31ea6cb2c6
Release Date: 2026-05-12
Fix Resolution: https://github.com/libwww-perl/libwww-perl.git - v6.83
❌ CVE-2025-25977
Vulnerable Library - canvg-1.5.js
Javascript SVG parser and renderer on Canvas
Library home page: https://cdnjs.cloudflare.com/ajax/libs/ ... 5/canvg.js
Path to vulnerable library: /var/httpd/htdocs/js/thirdparty/canvg-1.5/canvg.js
Dependency Hierarchy:
canvg-1.5.js (Vulnerable Library)
Found in HEAD commit: d3e46f2c760e609c0ac798c6bc9e61b99bc8eef8
Found in base branch: main
Vulnerability Details
An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code via the Constructor of the class StyleElement.
Publish Date: 2025-03-10
URL: CVE-2025-25977
CVSS 3 Score Details (9.8)
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://github.com/advisories/GHSA-v2mw-5mch-w8c5
Release Date: 2025-03-10
Fix Resolution: canvg - 3.0.11,https://github.com/canvg/canvg.git - v3.0.11,canvg - 4.0.3,canvg - 3.0.11,canvg - 4.0.3,https://github.com/canvg/canvg.git - v4.0.3
Vulnerability CVE-2026-6659 - CVE-2024-32492 - CVE-2026-8368 - CVE-2025-25977
Moderator: crythias
-
josemiguelgonzalezu
- Znuny newbie
- Posts: 12
- Joined: 05 Oct 2022, 21:48
- Znuny Version: 7.0.6
- Real Name: Jose Gonzalez
-
root
- Administrator
- Posts: 4319
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: Vulnerability CVE-2026-6659 - CVE-2024-32492 - CVE-2026-8368 - CVE-2025-25977
Hi,
If you believe these are security issues, please report them to security@znuny.com. This forum is not monitored for this kind of information.
- rooy
If you believe these are security issues, please report them to security@znuny.com. This forum is not monitored for this kind of information.
- rooy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?