CVE-2026-48209

7.1 HIGH

An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attacker...

Published: 2026-06-01 · Last updated: 2026-06-15

Severity and scoring

CVSS: 7.1 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
CWE: CWE-116, CWE-79

Affected products

Vendor	Product
otrs	otrs

Description

An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened. This issue affects OTRS: * 7.0.x Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-48209
[Vendor advisory]https://otrs.com/release-notes/otrs-security-advisory-2026-08/

Related CVEs

Same vendor

CVE-2026-48208 — An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to injec... (6.5 MEDIUM)
CVE-2026-48191 — An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules... (3.5 LOW)
CVE-2026-48190 — An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query ... (3.5 LOW)
CVE-2026-48189 — An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to ... (5.7 MEDIUM)
CVE-2026-48188 — An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows an unauthenticated SQL inje... (9.1 CRITICAL)

Same CWE

CVE-2026-48157 — Slim is a PHP micro framework that enables users to write simple web applications and APIs (6.1 MEDIUM)
CVE-2026-52702 — Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions (7.1 HIGH)
CVE-2026-49773 — Subscriber Cross Site Scripting (XSS) in FV Flowplayer Video Player < 7.5.51.7212 versions (6.5 MEDIUM)
CVE-2026-49055 — Unauthenticated Cross Site Scripting (XSS) in Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.7 versions (7.1 HIGH)
CVE-2026-48966 — Unauthenticated Cross Site Scripting (XSS) in Funnel Builder by FunnelKit <= 3.15.0.2 versions (7.1 HIGH)