PatchSiren

OTRS AG CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH OTRS AG CVE published 2026-06-01

CVE-2026-48209

An authenticated reflected cross-site scripting (XSS) vulnerability exists in OTRS 7.0.x and ((OTRS)) Community Edition 6.x and earlier. The flaw stems from improper neutralization of user-controllable input during ticket handling operations. An authenticated attacker can craft a malicious URL containing injected JavaScript within request parameters associated with ticket actions. When an authenticated ag [truncated]

MEDIUM OTRS AG CVE published 2026-06-01

CVE-2026-48208

An improper neutralization of active SVG content in OTRS and ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent or customer. The issue can be exploited without JavaScript execution and is not mitigated by the configured [truncated]

LOW OTRS AG CVE published 2026-06-01

CVE-2026-48191

An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them.

LOW OTRS AG CVE published 2026-06-01

CVE-2026-48190

An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be enabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X, and 2026.X before 2026.4.X.

MEDIUM OTRS AG CVE published 2026-06-01

CVE-2026-48189

An improper input validation vulnerability in the OTRS Customer Backend module allows authenticated users to access customer information restricted to other groups. The vulnerability requires that the affected feature be enabled and that CustomerGroupSupport is in use. The issue affects multiple OTRS versions including 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X, and 2026.X before 2026.4.X. The CVSS 3.1 vector i [truncated]

CRITICAL OTRS AG CVE published 2026-06-01

CVE-2026-48188

An improper input validation vulnerability in the OTRS database layer module enables unauthenticated SQL injection, which can lead to authentication bypass. The issue is only exploitable when the backend MySQL or MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode. Affected versions include OTRS 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X, and 2026.X before 2026.4.X, as well as ((OTRS)) Community [truncated]

MEDIUM OTRS AG CVE published 2026-06-01

CVE-2026-48187

An uncontrolled resource allocation vulnerability in OTRS email handling allows excessive resource consumption that may lead to webserver abortion. The vulnerability stems from missing limits or throttling mechanisms during email processing. Affected versions include OTRS 8.0.X, 2023.X, 2024.X, 2025.X, and 2026.X before 2026.4.X. The vendor advisory also indicates that ((OTRS)) Community Edition 6.x, OTRS [truncated]

MEDIUM OTRS AG CVE published 2026-05-31

CVE-2026-48210

An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend.