These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
An authenticated reflected cross-site scripting (XSS) vulnerability exists in OTRS 7.0.x and ((OTRS)) Community Edition 6.x and earlier. The flaw stems from improper neutralization of user-controllable input during ticket handling operations. An authenticated attacker can craft a malicious URL containing injected JavaScript within request parameters associated with ticket actions. When an authenticated ag [truncated]
An improper neutralization of active SVG content in OTRS and ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent or customer. The issue can be exploited without JavaScript execution and is not mitigated by the configured [truncated]
An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them.
An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be enabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X, and 2026.X before 2026.4.X.
An improper input validation vulnerability in the OTRS Customer Backend module allows authenticated users to access customer information restricted to other groups. The vulnerability requires that the affected feature be enabled and that CustomerGroupSupport is in use. The issue affects multiple OTRS versions including 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X, and 2026.X before 2026.4.X. The CVSS 3.1 vector i [truncated]
An improper input validation vulnerability in the OTRS database layer module enables unauthenticated SQL injection, which can lead to authentication bypass. The issue is only exploitable when the backend MySQL or MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode. Affected versions include OTRS 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X, and 2026.X before 2026.4.X, as well as ((OTRS)) Community [truncated]
An uncontrolled resource allocation vulnerability in OTRS email handling allows excessive resource consumption that may lead to webserver abortion. The vulnerability stems from missing limits or throttling mechanisms during email processing. Affected versions include OTRS 8.0.X, 2023.X, 2024.X, 2025.X, and 2026.X before 2026.4.X. The vendor advisory also indicates that ((OTRS)) Community Edition 6.x, OTRS [truncated]
An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend.