Reflected Cross-Site Scripting Vulnerability in OTRS by OTRS
CVE-2026-48209

7.1HIGH

Key Information:

Vendor: Otrs Ag
Status: Otrs; ((otrs)) Community Edition
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-48209?

A reflected cross-site scripting vulnerability in OTRS Community Edition occurs due to improper neutralization of user-controllable input in ticket handling. This makes it possible for authenticated attackers to exploit the system via specially crafted request parameters linked to ticket actions. By manipulating these request URLs to inject malicious JavaScript, attackers can execute arbitrary script code within the context of an authenticated agent session upon the opening of the malicious link. This vulnerability affects not only OTRS Community Edition 7.0.x but also earlier versions, as well as products built upon this platform.

Affected Version(s)

((OTRS)) Community Edition 6.x

OTRS 7.0.x

References

https://otrs.com/release-notes/otrs-security-advisory-202...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 21, 2026

Credit

Special thanks to William Bastos (@chor4o) for reporting this vulnerability

CVE-2026-48209 Data

JSON