Improper SVG Content Neutralization in OTRS Affects Multiple Versions
CVE-2026-48208

6.5MEDIUM

Key Information:

Vendor: Otrs Ag
Status: Otrs; ((otrs)) Community Edition
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-48208?

A security issue in OTRS allows attackers to exploit improper handling of SVG content in ticket article rendering. By injecting specially crafted SVG payloads through email content, it can lead to browser resource exhaustion and denial of service when affected tickets are accessed by agents or customers. This vulnerability can be exploited without the need for JavaScript execution, and it bypasses any protections offered by the configured Content Security Policy (CSP). The issue affects various versions, specifically from 7.0.X to 2026.X before 2026.4.X, as well as older versions of the Community Edition.

Affected Version(s)

((OTRS)) Community Edition 6.x

OTRS 7.0.x

References

https://otrs.com/release-notes/otrs-security-advisory-202...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 21, 2026

Credit

Special thanks to Daniel Triznafor reporting this vulnerability

CVE-2026-48208 Data

JSON

Otrs Ag

What is CVE-2026-48208?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit