An improper neutralisation of active SVG content in OTRS ticket article rendering allows attackers to inject specially crafted SVG payloads through email content, triggering browser‑side resource exhaustion and resulting in a denial‑of‑service when a ticket is opened by an agent or customer. The flaw is a type of input validation weakness (CWE‑400 and CWE‑791) and can be exploited without executing JavaScript, rendering content‑security‑policy settings ineffective.

The vulnerability affects OTRS AG Community Edition and the Enterprise edition, including 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X, and all 2026.X releases prior to 2026.4.X. Community Edition 6.x and earlier are also vulnerable, as are products that build on the Community Edition. In all cases, the issue arises when tickets containing email‑supplied SVG content are displayed to users.

With a CVSS score of 6.5 the vulnerability is considered moderate. EPSS score data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, indicating it has not yet been widely exploited in the wild. Attackers can trigger the denial‑of‑service by sending or embedding malicious SVG content in ticket emails; any user who opens the impacted ticket may trigger the resource exhaustion. Because the flaw does not require JavaScript execution or special privileges, it can be leveraged by unauthenticated web or email users who can prompt a ticket view.