CVE-2026-48209
Reflected XSS in OTRS Ticket Handling
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: OTRS AG
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| otrs | otrs | From 7.0.0 (inc) to 8.0.0 (exc) |
| otrs | community_edition | to 6.9.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a reflected cross-site scripting (XSS) issue in OTRS and ((OTRS)) Community Edition ticket handling. It occurs because user-controllable input is not properly neutralized, allowing authenticated attackers to inject malicious JavaScript code into request parameters related to ticket actions.
When an attacker crafts a specially manipulated URL containing this malicious script and an authenticated agent opens this link, the script executes within the context of their session.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript code in the context of an authenticated agent's session. This can lead to unauthorized actions being performed on behalf of the agent, theft of sensitive information such as session tokens, or manipulation of ticket data.
Because the attack requires an authenticated session and user interaction (opening a crafted link), it can be used to compromise the integrity and confidentiality of the ticketing system.