CVE-2026-48209
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk8th percentile - higher than 8% of all known CVEs
Summary
An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions.
Risk Assessment
Attackers can inject malicious JavaScript into manipulated request URLs, leading to the execution of arbitrary script code in the context of an authenticated agent session when the crafted link is opened. This poses a serious threat to data security and system integrity.
Recommendation
It is recommended to update OTRS to the latest version to eliminate this vulnerability. Additionally, a security audit of the application should be conducted, and appropriate mechanisms to protect against XSS attacks should be implemented.
Original NVD description (English source)
An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened. This issue affects OTRS: * 7.0.x Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected

