Skip to main content

OTRS CVE-2026-48209

| EUVDEUVD-2026-33547 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-01 OTRS GHSA-hwvj-jp99-g693
7.1
CVSS 3.1 · Vendor: OTRS
Share

Severity by source

Vendor (OTRS) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

Primary rating from Vendor (OTRS) · only source for this CVE.

CVSS VectorVendor: OTRS

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 04:20 vuln.today

DescriptionCVE.org

An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened.

This issue affects OTRS:

  • 7.0.x

Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected

AnalysisAI

Reflected cross-site scripting in OTRS 7.0.x and ((OTRS)) Community Edition 6.x and earlier allows remote attackers to execute arbitrary JavaScript in an authenticated agent's browser session by tricking the agent into clicking a crafted ticket-action URL. The CVSS 7.1 (UI:R) rating reflects the need for victim interaction, and no public exploit identified at time of analysis, but the high integrity impact and the ubiquity of OTRS-derived help-desk forks make this a meaningful risk for ticketing environments.

Technical ContextAI

OTRS is a widely deployed PHP/Perl-based ticketing and help-desk platform; the ((OTRS)) Community Edition is the open-source lineage from which numerous forks (e.g., Znuny, OTOBO) derive, so weaknesses in the ticket-action handlers tend to propagate downstream. CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: request parameters tied to ticket actions are reflected back into agent-facing pages without sufficient HTML/JS encoding, letting attacker-controlled strings be parsed as script. The affected CPEs cover cpe:2.3:a:otrs_ag:otrs and cpe:2.3:a:otrs_ag:((otrs))_community_edition, confirming both the commercial OTRS line and its community ancestor are in scope.

RemediationAI

Patch availability is indicated by the existence of OTRS Security Advisory 2026-08 (https://otrs.com/release-notes/otrs-security-advisory-2026-08/), so administrators should upgrade OTRS 7.0.x to the fixed release listed in that advisory; an exact fix version is not provided in the input data, so consult the advisory directly before scheduling deployment. Operators of ((OTRS)) Community Edition 6.x and earlier should note that 6.x is end-of-life and migrate to a supported fork (Znuny, OTOBO) on a release that has back-ported the fix. Compensating controls while patching: enforce a strict Content-Security-Policy that disallows inline scripts on agent pages (side effect: may break legacy customer themes and dashboard widgets), restrict the agent interface to a VPN or IP allow-list (side effect: hampers remote agents), and train agents to verify ticket-action URLs before clicking, particularly links arriving via email or external chat.

More in Otrs

View all
CVE-2017-16921 HIGH POC
8.8 Dec 08

In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.2

CVE-2018-7567 HIGH POC
7.2 Mar 04

In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenti

CVE-2014-1694 MEDIUM POC
6.8 Feb 04

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm,

CVE-2017-9299 MEDIUM POC
6.1 May 29

Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS]

CVE-2024-23790 CRITICAL
9.8 Jan 29

Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to

CVE-2022-4427 CRITICAL
9.8 Dec 19

Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via Tic

CVE-2012-4751 MEDIUM POC
4.3 Oct 22

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x befor

CVE-2026-48188 CRITICAL
9.1 Jun 01

Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication by

CVE-2023-5422 CRITICAL
9.1 Oct 16

The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS base

CVE-2017-9324 HIGH
8.8 Jun 12

In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with

CVE-2017-16664 HIGH
8.8 Nov 21

Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26

CVE-2014-1695 MEDIUM POC
4.3 Mar 01

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15,

Share

CVE-2026-48209 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy