CVE-2026-48208
Analyzed Analyzed - Analysis Complete
SVG Content Injection in OTRS Leading to DoS

Publication date: 2026-06-01

Last updated on: 2026-06-15

Assigner: OTRS AG

Description
An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent or customer. The issue can be exploited without JavaScript execution and is not mitigated by the configured Content Security Policy (CSP). This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-15
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-48208
EUVD
EUVD-2026-33548
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
otrs otrs to 6.0.32 (inc)
otrs otrs From 7.0.0 (inc) to 8.0.37 (inc)
otrs otrs From 2023.0.0 (inc) to 2026.4.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-791 The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability can cause denial of service by exhausting browser resources when an affected ticket containing the malicious SVG payload is opened. This can disrupt normal operations for agents or customers using the OTRS system.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to update your OTRS installation to version 2026.4.1 or later.

No patches will be provided for OTRS 7, so upgrading to a supported and fixed version is necessary.

Executive Summary

This vulnerability involves improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering. Attackers can inject specially crafted SVG payloads via email content. When affected tickets are opened by an agent or customer, this leads to browser-side resource exhaustion and denial of service.

The issue can be exploited without requiring JavaScript execution and is not mitigated by the configured Content Security Policy (CSP).

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48208. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart