Znuny LTS 6.5.19 (2026-03-25)

Type

Patchlevel

Security

Yes

Features

• Added Sender column support for dashboard ticket widgets.
• Added configurable filter for ticket search to the ticket merge dialog (AgentTicketMerge).
• Added console command Maint::Ticket::Unwatch.
• Sector Nord AG: Added support for multiple RichText instances. Thanks to @LuBroering (PR#736).

Changes

Security Fixes

• CVE-2025-52204: Fixed XSS issue with session ID in URL parameter. Thanks to Miguel P. for reporting.
• CVE-2025-59490: Fixed XSS issue with unfiltered URL parameters given to backend.
• Fixed: For security reasons, detailed error messages are no longer shown in the GUI.
• Fixed: Improved content security policy HTTP header.
• Fixed: Source view for rich text editor deactivated in customer frontend to prevent arbitrary code injection.
• Fixed: Replaced EncodeInput() method in KS:Encode with a safe version.

Changes & Improvements

• Changed: Reply function in the agent ticket compose dialog is no longer available if the article is internal and was created by an agent or by the system.
• Changed ticket zoom information widget to count only open tickets with the same customer when Ticket::Frontend::ZoomCustomerTickets is enabled.
• Increased length of the password column for users, customer_user, and mail_account.
• Improved handling of read-only fields for CustomerUser::DB and CustomerCompany::DB backends.
• Sped up UUID creation for DBCRUD modules.
• Simplified handling of the Admin::Package::Export console command.

Bug Fixes

• Fixed: CustomerUser article iframe #n>1 not resizing when all articles are shown.
• Fixed: Misleading popup message when opening more than one ticket from overviews using a shortcut to open in a new tab/window.
• Fixed: Problems with leftover UTF-16 surrogates in incoming UTF-8 text.
• Fixed: Issue with sorting dropdown elements when Ticket::Frontend::AccountTimeType is set to Dropdown.
• Fixed: Console commands Admin::Group::UserLink and Admin::Group::RoleLink with inconsistent available permissions.
• Fixed: Sender address for process tickets not assigned properly in the customer interface.
• Fixed: Znuny redirects after login to the default view even when an ExternalURL parameter with an Action is encoded in the link.
• Fixed: TemplateGenerator broken when using RichText.
• Fixed: Customer interface PopupClose function loaded agent interface header/footer, referencing unsupported features. Added CustomerPopupClose function.
• Fixed: The tags <OTRS_TICKET> and <OTRS_MERGE_TO_TICKET> could only be used once in Ticket::Frontend::AutomaticMergeText due to missing 'global' flag. Thanks to Tim Püttmanns (@tipue-dev), maxence (PR#753).
• Fixed: Date check regex for config option ICSParser::StartDate now actually matches YYYYMMDD.
• Fixed: Unexpected rate limit applied when SendmailModule::RateLimit is disabled.
• Fixed: The link to a specific article in a ticket did not work if users have different "Show all articles" settings. Article links now handle both display modes.
• Fixed: Issue with cache applied incorrectly to "My last changed tickets" widget.
• Fixed: Removed unnecessary HTML quoting of data in template generator backend.
• Fixed: No styles when printing process in the admin interface.
• Fixed: Ticket age was displayed in seconds instead of human-readable format in agent ticket zoom (asynchronous widget) and ticket list (view mode L).
• Fixed: Parameter error in Kernel::System::Web::UploadCache — no longer tries to dereference undef.
• Fixed: "Title" field on the customer login screen was not set for new customer users.
• Fixed: Console commands not loaded/listed if located in the /Custom directory.
• Fixed: Improved error logging when fetching emails.
• Fixed: Customer ticket details screen now redirects to the ticket overview if accessed without permissions.
• Fixed: Session validation before redirect added; fixed related frontend test.
• Fixed: Navigation path for Ticket::Frontend::AgentTicketNoteToLinkedTicket###IsVisibleForCustomerDefault.

See CHANGES.md for a complete overview.

Download