CVE-2026-48209 PUBLISHED

Reflected XSS in authenticated agent context

Assigner: OTRS
Reserved: 21.05.2026 Published: 01.06.2026 Updated: 01.06.2026

An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened.

This issue affects OTRS:

7.0.x

Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
CVSS Score: 7.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	OTRS AG
Product	OTRS
Versions	Default: unaffected Version 7.0.x is affected

Vendor	OTRS AG
Product	((OTRS)) Community Edition
Versions	Default: affected Version 6.x is affected

Solutions

Update to latest version of OTRS (2026.4.1. or later). Please note that there will be no OTRS 7 patches

Credits

Special thanks to William Bastos (@chor4o) for reporting this vulnerability finder

References

https://otrs.com/release-notes/otrs-security-advisory-2026-08/

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE
CWE-116 Improper Encoding or Escaping of Output CWE

Impacts

CAPEC-63 Cross-Site Scripting (XSS)