CVE-2026-48208
SVG Content Injection in OTRS Leading to DoS
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: OTRS AG
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| otrs | otrs | 7.0 |
| otrs | otrs | 8.0 |
| otrs | otrs | 2023 |
| otrs | otrs | 2024 |
| otrs | otrs | 2025 |
| otrs | otrs | to 2026.4 (exc) |
| otrs | otrs | 6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-791 | The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can cause denial of service by exhausting browser resources when an affected ticket containing the malicious SVG payload is opened. This can disrupt normal operations for agents or customers using the OTRS system.
Can you explain this vulnerability to me?
This vulnerability involves improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering. Attackers can inject specially crafted SVG payloads via email content. When affected tickets are opened by an agent or customer, this leads to browser-side resource exhaustion and denial of service.
The issue can be exploited without requiring JavaScript execution and is not mitigated by the configured Content Security Policy (CSP).