CVE-2026-48188

CRITICAL

OTRS - SQL Injection via MySQL Quote Method

Title source: rule

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-48188. PoCs published by Habuon.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-48188, demonstrating an SQL injection vulnerability in OTRS that leads to remote code execution (RCE) via module installation. The exploit leverages a crafted username to bypass authentication and executes arbitrary commands through a malicious OTRS package.

Description

An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if the MySQL/MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X * (OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected

Exploits (1)

github WORKING POC

by Habuon · pythonpoc

https://github.com/Habuon/CVE-2026-48188

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-48188, demonstrating an SQL injection vulnerability in OTRS that leads to remote code execution (RCE) via module installation. The exploit leverages a crafted username to bypass authentication and executes arbitrary commands through a malicious OTRS package.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OTRS (Open-source Ticket Request System)

No auth needed

Prerequisites: Access to the OTRS login page · SQL injection vulnerability in the authentication mechanism · Ability to install OTRS packages

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 01, 2026 Full analysis →

References (1)

Core 1

Core References

https://otrs.com/release-notes/otrs-security-advisory-2026-02/

Scores

CVSS v3 9.1

EPSS 0.0008

EPSS Percentile 23.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-20

Status published

Products (7)

OTRS AG/((OTRS)) Community Edition 6.x

OTRS AG/OTRS 2023.x

OTRS AG/OTRS 2024.x

OTRS AG/OTRS 2025.x

OTRS AG/OTRS 2026.x - 2026.3.x

OTRS AG/OTRS 7.0.x

OTRS AG/OTRS 8.0.x

Published Jun 01, 2026

Tracked Since Jun 01, 2026