Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Primary rating from Vendor (OTRS) · only source for this CVE.
CVSS VectorVendor: OTRS
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened.
This issue affects OTRS:
- 7.0.x
Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected
AnalysisAI
Reflected cross-site scripting in OTRS 7.0.x and ((OTRS)) Community Edition 6.x and earlier allows remote attackers to execute arbitrary JavaScript in an authenticated agent's browser session by tricking the agent into clicking a crafted ticket-action URL. The CVSS 7.1 (UI:R) rating reflects the need for victim interaction, and no public exploit identified at time of analysis, but the high integrity impact and the ubiquity of OTRS-derived help-desk forks make this a meaningful risk for ticketing environments.
Technical ContextAI
OTRS is a widely deployed PHP/Perl-based ticketing and help-desk platform; the ((OTRS)) Community Edition is the open-source lineage from which numerous forks (e.g., Znuny, OTOBO) derive, so weaknesses in the ticket-action handlers tend to propagate downstream. CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: request parameters tied to ticket actions are reflected back into agent-facing pages without sufficient HTML/JS encoding, letting attacker-controlled strings be parsed as script. The affected CPEs cover cpe:2.3:a:otrs_ag:otrs and cpe:2.3:a:otrs_ag:((otrs))_community_edition, confirming both the commercial OTRS line and its community ancestor are in scope.
RemediationAI
Patch availability is indicated by the existence of OTRS Security Advisory 2026-08 (https://otrs.com/release-notes/otrs-security-advisory-2026-08/), so administrators should upgrade OTRS 7.0.x to the fixed release listed in that advisory; an exact fix version is not provided in the input data, so consult the advisory directly before scheduling deployment. Operators of ((OTRS)) Community Edition 6.x and earlier should note that 6.x is end-of-life and migrate to a supported fork (Znuny, OTOBO) on a release that has back-ported the fix. Compensating controls while patching: enforce a strict Content-Security-Policy that disallows inline scripts on agent pages (side effect: may break legacy customer themes and dashboard widgets), restrict the agent interface to a VPN or IP allow-list (side effect: hampers remote agents), and train agents to verify ticket-action URLs before clicking, particularly links arriving via email or external chat.
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.2
In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenti
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm,
Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS]
Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via Tic
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x befor
Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication by
The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS base
In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with
Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15,
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33547
GHSA-hwvj-jp99-g693