Skip to main content

OTRS CVE-2026-48208

| EUVDEUVD-2026-33548 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-01 OTRS GHSA-8xg9-c63w-vfj6
6.5
CVSS 3.1 · Vendor: OTRS
Share

Severity by source

Vendor (OTRS) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from Vendor (OTRS) · only source for this CVE.

CVSS VectorVendor: OTRS

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 04:20 vuln.today

DescriptionCVE.org

An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent or customer. The issue can be exploited without JavaScript execution and is not mitigated by the configured Content Security Policy (CSP).

This issue affects OTRS:

  • 7.0.X
  • 8.0.X
  • 2023.X
  • 2024.X
  • 2025.X
  • 2026.X before 2026.4.X

Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected

AnalysisAI

SVG content injection in OTRS ticket article rendering enables unauthenticated remote attackers to deliver browser-side denial of service against agents and customers who open affected tickets. Specially crafted SVG payloads submitted via inbound email trigger uncontrolled resource exhaustion during rendering, without requiring JavaScript execution, and the attack vector is not blocked by the application's configured Content Security Policy - making CSP-based mitigations ineffective. No public exploit code or active exploitation has been identified at time of analysis, but the low-complexity, no-authentication-required delivery mechanism (via email) lowers the barrier to abuse significantly.

Technical ContextAI

The affected component is the ticket article rendering engine in OTRS and its open-source fork ((OTRS)) Community Edition, which renders email-originated content in a browser context. SVG (Scalable Vector Graphics) images support active content constructs - such as animation elements, filter primitives, and recursive references - that can trigger computationally expensive operations in the browser's rendering engine without invoking JavaScript. CWE-400 (Uncontrolled Resource Consumption) applies here: the application fails to sanitize or limit active SVG content before it is presented to users, allowing payloads that consume excessive CPU or memory during rendering. The vulnerability is notable because it circumvents the configured CSP, which typically limits script execution but does not constrain SVG rendering primitives such as feTile, feFlood, or self-referential use elements. CPE strings cpe:2.3:a:otrs_ag:otrs and cpe:2.3:a:otrs_ag:((otrs))_community_edition confirm both product lines are affected across the full wildcard version range reported.

RemediationAI

The primary remediation is to upgrade OTRS to version 2026.4.X or later, which is inferred as the fixed release based on the advisory's statement that OTRS 2026.X before 2026.4.X is affected - this should be confirmed against the vendor advisory at https://otrs.com/release-notes/otrs-security-advisory-2026-07/. For ((OTRS)) Community Edition 6.x and forks, no vendor-maintained patch is available given its end-of-life status; organizations running these versions should treat migration to supported OTRS as a priority. As an immediate compensating control, administrators can configure email preprocessing rules or an upstream email gateway to strip or quarantine messages containing inline SVG attachments or base64-encoded SVG content before they are ingested as ticket articles - this eliminates the delivery vector at the cost of potentially discarding legitimate SVG-formatted correspondence. Restricting ticket access to a minimal set of trusted agents reduces the attack surface but does not eliminate the vulnerability. Do not rely solely on CSP as a control, as the advisory explicitly states it is ineffective against this attack.

More in Otrs

View all
CVE-2017-16921 HIGH POC
8.8 Dec 08

In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.2

CVE-2018-7567 HIGH POC
7.2 Mar 04

In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenti

CVE-2014-1694 MEDIUM POC
6.8 Feb 04

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm,

CVE-2017-9299 MEDIUM POC
6.1 May 29

Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS]

CVE-2024-23790 CRITICAL
9.8 Jan 29

Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to

CVE-2022-4427 CRITICAL
9.8 Dec 19

Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via Tic

CVE-2012-4751 MEDIUM POC
4.3 Oct 22

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x befor

CVE-2026-48188 CRITICAL
9.1 Jun 01

Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication by

CVE-2023-5422 CRITICAL
9.1 Oct 16

The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS base

CVE-2017-9324 HIGH
8.8 Jun 12

In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with

CVE-2017-16664 HIGH
8.8 Nov 21

Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26

CVE-2014-1695 MEDIUM POC
4.3 Mar 01

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15,

Share

CVE-2026-48208 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy