CVE Catalog

CVE-2026-48209

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

8th percentile - higher than 8% of all known CVEs

Summary

An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions.

Risk Assessment

Attackers can inject malicious JavaScript into manipulated request URLs, leading to the execution of arbitrary script code in the context of an authenticated agent session when the crafted link is opened. This poses a serious threat to data security and system integrity.

Recommendation

It is recommended to update OTRS to the latest version to eliminate this vulnerability. Additionally, a security audit of the application should be conducted, and appropriate mechanisms to protect against XSS attacks should be implemented.

Original NVD description (English source)

An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened. This issue affects OTRS: * 7.0.x Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected

Vulnerability data from NVD (NIST) · CISA KEV · EPSS