ZSA-2026-07

Date: 2026-03-25
Affected: All versions of Znuny LTS from 6.5.1 up to including 6.5.18.
All versions of Znuny from 7.2.1 up to including 7.2.3.
All versions of Znuny 6.0, 6.1, 6.2, 6.3, 6.4, 7.0, and 7.1.
Severity: medium
CVE: Not requested

The Safety() method in Kernel::System::HTMLUtils fails to detect and strip malicious scripts when HTML character entities are zero-padded in their decimal or hexadecimal encoding forms. Browsers silently normalize these padded entities during rendering and execute the resulting JavaScript, while the sanitizer does not recognize them as matching its filter patterns.

Fixed in: Znuny LTS 6.5.19 and Znuny 7.3.1