CVE-2026-48208
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk16th percentile - higher than 16% of all known CVEs
Summary
In OTRS and ((OTRS)) Community Edition, improper neutralization of active SVG content in ticket article rendering allows attackers to inject specially crafted SVG payloads via email content. This can lead to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent or customer.
Risk Assessment
Organizations may experience significant disruptions in system operation, potentially leading to loss of access to tickets and decreased customer service quality. Attackers can exploit this vulnerability without the need for JavaScript execution, increasing the risk.
Recommendation
It is recommended to update OTRS to version 2026.4.X or newer to mitigate this vulnerability. Additionally, consider reviewing and strengthening the Content Security Policy (CSP) to protect against similar attacks.
Original NVD description (English source)
An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent or customer. The issue can be exploited without JavaScript execution and is not mitigated by the configured Content Security Policy (CSP). This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected

