CVE-2026-34724

HIGH

Zammad AI Agent - Server-Side Template Injection

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-34724. PoCs published by 0xBlackash.

AI-analyzed exploit summary The repository contains a Python script that checks the version of Zammad to determine if it is vulnerable to CVE-2026-34724, an SSTI vulnerability in the AI Agent feature. It does not include exploit code but provides a safe version check.

Description

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, a server-side template injection vulnerability which leads to RCE via AI Agent exists. Impact is limited to environments where an attacker can control or influence type_enrichment_data (typically high-privilege administrative configuration). This vulnerability is fixed in 7.0.1.

Exploits (1)

nomisec SCANNER
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-34724

The repository contains a Python script that checks the version of Zammad to determine if it is vulnerable to CVE-2026-34724, an SSTI vulnerability in the AI Agent feature. It does not include exploit code but provides a safe version check.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Zammad < 7.0.1
No auth needed
Prerequisites: Access to the Zammad API endpoint /api/v1/version
devstral-2 · analyzed Apr 10, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.2
EPSS 0.0026
EPSS Percentile 17.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-1336 CWE-94
Status published
Products (2)
zammad/zammad 7.0.0
zammad/zammad >= 7.0.0, < 7.0.1
Published Apr 08, 2026
Tracked Since Apr 09, 2026