Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from Vendor (OTRS) · only source for this CVE.
CVSS VectorVendor: OTRS
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent or customer. The issue can be exploited without JavaScript execution and is not mitigated by the configured Content Security Policy (CSP).
This issue affects OTRS:
- 7.0.X
- 8.0.X
- 2023.X
- 2024.X
- 2025.X
- 2026.X before 2026.4.X
Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected
AnalysisAI
SVG content injection in OTRS ticket article rendering enables unauthenticated remote attackers to deliver browser-side denial of service against agents and customers who open affected tickets. Specially crafted SVG payloads submitted via inbound email trigger uncontrolled resource exhaustion during rendering, without requiring JavaScript execution, and the attack vector is not blocked by the application's configured Content Security Policy - making CSP-based mitigations ineffective. No public exploit code or active exploitation has been identified at time of analysis, but the low-complexity, no-authentication-required delivery mechanism (via email) lowers the barrier to abuse significantly.
Technical ContextAI
The affected component is the ticket article rendering engine in OTRS and its open-source fork ((OTRS)) Community Edition, which renders email-originated content in a browser context. SVG (Scalable Vector Graphics) images support active content constructs - such as animation elements, filter primitives, and recursive references - that can trigger computationally expensive operations in the browser's rendering engine without invoking JavaScript. CWE-400 (Uncontrolled Resource Consumption) applies here: the application fails to sanitize or limit active SVG content before it is presented to users, allowing payloads that consume excessive CPU or memory during rendering. The vulnerability is notable because it circumvents the configured CSP, which typically limits script execution but does not constrain SVG rendering primitives such as feTile, feFlood, or self-referential use elements. CPE strings cpe:2.3:a:otrs_ag:otrs and cpe:2.3:a:otrs_ag:((otrs))_community_edition confirm both product lines are affected across the full wildcard version range reported.
RemediationAI
The primary remediation is to upgrade OTRS to version 2026.4.X or later, which is inferred as the fixed release based on the advisory's statement that OTRS 2026.X before 2026.4.X is affected - this should be confirmed against the vendor advisory at https://otrs.com/release-notes/otrs-security-advisory-2026-07/. For ((OTRS)) Community Edition 6.x and forks, no vendor-maintained patch is available given its end-of-life status; organizations running these versions should treat migration to supported OTRS as a priority. As an immediate compensating control, administrators can configure email preprocessing rules or an upstream email gateway to strip or quarantine messages containing inline SVG attachments or base64-encoded SVG content before they are ingested as ticket articles - this eliminates the delivery vector at the cost of potentially discarding legitimate SVG-formatted correspondence. Restricting ticket access to a minimal set of trusted agents reduces the attack surface but does not eliminate the vulnerability. Do not rely solely on CSP as a control, as the advisory explicitly states it is ineffective against this attack.
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.2
In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenti
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm,
Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS]
Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via Tic
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x befor
Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication by
The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS base
In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with
Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15,
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33548
GHSA-8xg9-c63w-vfj6