By vendor

Otrs vulnerabilities

Known CVEs affecting Otrs products, prioritized by severity, with SEC.co remediation and detection guidance.

7 published vulnerabilities

  • CVE-2026-48209HIGH 7.1

    OTRS ticket management systems contain a reflected cross-site scripting (XSS) vulnerability in how they handle user input during ticket operations. An attacker can craft a malicious URL containing JavaScript code and trick an authenticated agent into clicking it. When opened, the script executes within the agent's browser session, potentially allowing the attacker to steal session tokens, modify tickets, or perform actions on behalf of that agent. The attack requires social engineering to deliver the link but does not require the attacker to have direct system access.

  • CVE-2026-48208MEDIUM 6.5

    OTRS and OTRS Community Edition contain a vulnerability that allows attackers to embed malicious SVG (Scalable Vector Graphics) code within email messages sent to the ticketing system. When an agent or customer opens an affected ticket, the crafted SVG content can consume excessive browser resources, rendering the application unresponsive or forcing a browser crash. This is a denial-of-service attack that requires no special privileges and occurs automatically when viewing a compromised ticket—the attacker simply needs to send an email to the OTRS system.

  • CVE-2026-48187MEDIUM 5.7

    OTRS has a vulnerability in its email handling system that allows authenticated users to trigger excessive resource allocation on the web server, potentially causing it to crash or become unresponsive. An attacker with valid login credentials can exploit this through user interaction to exhaust server resources, resulting in denial of service. This is not a critical vulnerability but poses a meaningful availability risk to organizations relying on OTRS for ticketing operations.

  • CVE-2026-48189MEDIUM 5.7

    OTRS has released a security update addressing an input validation flaw in its Customer Backend module that allows authenticated users to bypass group-based access controls and view customer information they shouldn't have access to. The vulnerability requires that the CustomerGroupSupport feature is both enabled and actively used within the deployment. While the flaw is rated medium severity, it poses a direct confidentiality risk for organizations managing sensitive customer data through OTRS ticketing systems.

  • CVE-2026-48210MEDIUM 5.7

    OTRS 2026.3.1 has a configuration issue where ticket forwarding automatically marks internal information as visible to customers, and administrators cannot turn this off through the user interface. This means sensitive ticket details that should remain internal can unintentionally become visible to external customers, creating a data leakage risk.

  • CVE-2026-48190LOW 3.5

    OTRS has a permission-handling flaw in its External Interface and ConfigItem List module that allows authenticated customers to access Configuration Item (CI) information they shouldn't be able to see. The vulnerability only manifests when both CMDB is enabled and CustomerGroupSupport is configured, meaning organizations using default or simpler OTRS setups may not be affected. An attacker would need valid customer credentials and user interaction to exploit this issue.

  • CVE-2026-48191LOW 3.5

    A permissions bug in OTRS and STORM-powered OTRS allows authenticated users to discover metadata about configuration items (CIs), SLA levels, and services—such as how many are affected—without having actual access to view or modify them. An attacker needs valid login credentials and must interact with the Document Search Article Meta Filters modules to extract this information. While the exposure is limited to metadata disclosure rather than data access, it can provide reconnaissance value to an insider threat or compromised account holder.