CVE-2026-48209

HIGH EPSS 12.3%

Published Jun 1, 20264w ago · Modified Jun 17, 20261w ago

7.1 CVSS 3.1

High

Published Jun 1, 2026 4w ago

Last Modified Jun 17, 2026 1w ago

Description

An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened. This issue affects OTRS: * 7.0.x Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected

CVSS Details

Base Score

7.1

Exploitability

2.8

Impact

4.2

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Unchanged

Confidentiality Low

Integrity High

Availability None

Threat Intelligence

EPSS Exploit Probability

12.3% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-116

CWE-79 Cross-site Scripting Injection

Affected Products 2

Vendor	Product	Version	Range
otrs	otrs	*	≤6.0.32
otrs	otrs	*	≥7.0.0 – ≤7.0.49

References 1

otrs.com https://otrs.com/release-notes/otrs-security-advisory-2026-08/

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.