Otrs Community Edition
Monthly
Uncontrolled resource allocation in OTRS's e-mail handling subsystem allows a low-privileged authenticated user to trigger unbounded memory or resource consumption, ultimately aborting the webserver and causing a denial of service against the entire OTRS interface. Affected versions span OTRS 8.0.X through 2026.X prior to 2026.4.X, and the ((OTRS)) Community Edition 6.x and OTRS 7.x branches are noted by the vendor as very likely affected as well. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication bypass when the backing MySQL/MariaDB instance runs with the NO_BACKSLASH_ESCAPES SQL mode. The flaw carries a CVSS of 9.1 with network-reachable, no-privileges-required exploitation against confidentiality and integrity, but no public exploit identified at time of analysis and the issue is gated by a specific non-default database configuration.
SVG content injection in OTRS ticket article rendering enables unauthenticated remote attackers to deliver browser-side denial of service against agents and customers who open affected tickets. Specially crafted SVG payloads submitted via inbound email trigger uncontrolled resource exhaustion during rendering, without requiring JavaScript execution, and the attack vector is not blocked by the application's configured Content Security Policy - making CSP-based mitigations ineffective. No public exploit code or active exploitation has been identified at time of analysis, but the low-complexity, no-authentication-required delivery mechanism (via email) lowers the barrier to abuse significantly.
Reflected cross-site scripting in OTRS 7.0.x and ((OTRS)) Community Edition 6.x and earlier allows remote attackers to execute arbitrary JavaScript in an authenticated agent's browser session by tricking the agent into clicking a crafted ticket-action URL. The CVSS 7.1 (UI:R) rating reflects the need for victim interaction, and no public exploit identified at time of analysis, but the high integrity impact and the ubiquity of OTRS-derived help-desk forks make this a meaningful risk for ticketing environments.
Uncontrolled resource allocation in OTRS's e-mail handling subsystem allows a low-privileged authenticated user to trigger unbounded memory or resource consumption, ultimately aborting the webserver and causing a denial of service against the entire OTRS interface. Affected versions span OTRS 8.0.X through 2026.X prior to 2026.4.X, and the ((OTRS)) Community Edition 6.x and OTRS 7.x branches are noted by the vendor as very likely affected as well. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication bypass when the backing MySQL/MariaDB instance runs with the NO_BACKSLASH_ESCAPES SQL mode. The flaw carries a CVSS of 9.1 with network-reachable, no-privileges-required exploitation against confidentiality and integrity, but no public exploit identified at time of analysis and the issue is gated by a specific non-default database configuration.
SVG content injection in OTRS ticket article rendering enables unauthenticated remote attackers to deliver browser-side denial of service against agents and customers who open affected tickets. Specially crafted SVG payloads submitted via inbound email trigger uncontrolled resource exhaustion during rendering, without requiring JavaScript execution, and the attack vector is not blocked by the application's configured Content Security Policy - making CSP-based mitigations ineffective. No public exploit code or active exploitation has been identified at time of analysis, but the low-complexity, no-authentication-required delivery mechanism (via email) lowers the barrier to abuse significantly.
Reflected cross-site scripting in OTRS 7.0.x and ((OTRS)) Community Edition 6.x and earlier allows remote attackers to execute arbitrary JavaScript in an authenticated agent's browser session by tricking the agent into clicking a crafted ticket-action URL. The CVSS 7.1 (UI:R) rating reflects the need for victim interaction, and no public exploit identified at time of analysis, but the high integrity impact and the ubiquity of OTRS-derived help-desk forks make this a meaningful risk for ticketing environments.