CVE-2026-48209 - Vulnerability Details

- Reflected XSS in authenticated agent context

Description

An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened.

This issue affects OTRS:

* 7.0.x

Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected

Published: 2026-06-01

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an improper neutralization of user‑controllable input, classified as CWE-79 and CWE-116. An authenticated agent can craft request parameters that inject malicious JavaScript into URLs tied to ticket actions. When a user opens such a URL, the script runs with the privileges of the authenticated session, allowing arbitrary code execution, data exfiltration, and potential defacement within the OTRS application.

Affected Systems

The issue affects OTRS Community Edition 7.0.x and earlier, including 6.x and prior releases of ((OTRS)) Community Edition, as well as products based on that edition. These versions are vulnerable to reflected XSS when ticket action URLs are manipulated by an authenticated user.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The attack requires the attacker to be authenticated as an agent, and the exploitation occurs when a crafted URL is opened by the victim. Because the attacker needs valid credentials, the likelihood of a large‑scale attack is lower than for unauthenticated vulnerabilities, but the impact on any compromised agent account can be substantial. The lack of a publicly known exploit does not negate the risk of manual or automated exploitation through crafted links.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OTRS AG

OTRS

unaffected

Version	Status	Constraints
`7.0.x`	affected	—

OTRS AG

((OTRS)) Community Edition

affected

Version	Status	Constraints
`6.x`	affected	—

No data.

No data available yet.

Remediation

Vendor Solution

Update to latest version of OTRS (2026.4.1. or later). Please note that there will be no OTRS 7 patches

OpenCVE Recommended Actions

Update to OTRS 2026.4.1 or later to remove the input neutralization flaw
Avoid sending or clicking on manipulated ticket action URLs until the patch is applied
Configure the application or web server to enforce strict content‑security policies that limit script execution from untrusted sources
Ensure that agent accounts have minimal necessary privileges and monitor for unusual XSS activity

Generated by OpenCVE AI on June 1, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://otrs.com/release-notes/otrs-security-advisory-2026-08/

History

Mon, 01 Jun 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened. This issue affects OTRS: * 7.0.x Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected
Title		Reflected XSS in authenticated agent context
Weaknesses		CWE-116 CWE-79
References		https://otrs.com/release-notes/otrs-security-advisory-2026-08/
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: OTRS

Published: 2026-06-01T03:32:28.473Z

Updated: 2026-06-01T03:32:28.473Z

Reserved: 2026-05-21T12:12:49.645Z

Link: CVE-2026-48209

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-01T04:16:23.257

Modified: 2026-06-01T04:16:23.257

Link: CVE-2026-48209

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-01T05:30:20Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object