ZSA-2026-03

Date: 2026-03-25
Affected: All versions of Znuny LTS from 6.5.1 up to including 6.5.18.
All versions of Znuny from 7.2.1 up to including 7.2.3.
All versions of Znuny 6.0, 6.1, 6.2, 6.3, 6.4, 7.0, and 7.1.
Severity: low
CVE: Not requested

It was observed that injecting malformed input (e.g., a single quote) into parameters triggered detailed error responses across Znuny. These responses revealed sensitive backend information, including SQL query fragments, Perl module details, internal file system paths, and technology stack information. This issue is not isolated to the examples provided but occurs broadly across the Agent, Customer, and Public interface.

Fixed in: Znuny LTS 6.5.19 and Znuny 7.3.1