CVE-2026-48209

HIGH

OTRS - Reflected XSS in Authenticated Agent Context

Title source: rule

Description

An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened. This issue affects OTRS: * 7.0.x Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected

References (1)

Core 1

Core References

https://otrs.com/release-notes/otrs-security-advisory-2026-08/

Scores

CVSS v3 7.1

EPSS 0.0019

EPSS Percentile 8.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-116 CWE-79

Status published

Products (4)

otrs/otrs < 6.0.32

otrs/otrs 7.0.0 - 7.0.49

OTRS AG/((OTRS)) Community Edition 6.x

OTRS AG/OTRS 7.0.x

Published Jun 01, 2026

Tracked Since Jun 01, 2026