CVE-2026-48208

EUVD-2026-33548

01.06.2026, 04:16

An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent or customer. The issue can be exploited without JavaScript execution and is not mitigated by the configured Content Security Policy (CSP).

This issue affects OTRS:

  *  7.0.X
  *  8.0.X
  *  2023.X
  *  2024.X
  *  2025.X
  *  2026.X before 2026.4.X

Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
OTRS	CNA	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 13%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
otrs	otrs	7.0.0 ≤ 𝑥 < 7.1.0	CNA
otrs	otrs	8.0.0 ≤ 𝑥 < 8.1.0	CNA
otrs	otrs	2023.0 ≤ 𝑥 < 2024.0	CNA
otrs	otrs	2024.0 ≤ 𝑥 < 2025.0	CNA
otrs	otrs	2025.0 ≤ 𝑥 < 2026.0	CNA
otrs	otrs	2026.0 ≤	CNA
otrs	otrs	6.0 ≤ 𝑥 < 7.0	CNA

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Vulnerability Media Exposure

[GERMAN] OTRS: Mehrere Schwachstellen
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in OTRS ausnutzen, um einen Denial of Service zu verursachen, um eine SQL Injection durchzuführen, um Informationen offenzulegen und um einen XSS Angriff durchzuführen.
Published: 2026-05-31T22:00:00+00:00

References

https://otrs.com/release-notes/otrs-security-advisory-2026-07/