{"api_version":"1","generated_at":"2026-06-01T09:41:53+00:00","cve":"CVE-2026-48209","urls":{"html":"https://cve.report/CVE-2026-48209","api":"https://cve.report/api/cve/CVE-2026-48209.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-48209","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-48209"},"summary":{"title":"Reflected XSS in authenticated agent context","description":"An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened.\n\nThis issue affects OTRS:\n\n  *  7.0.x\n\nPlease note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected","state":"PUBLISHED","assigner":"OTRS","published_at":"2026-06-01 04:16:23","updated_at":"2026-06-01 04:16:23"},"problem_types":["CWE-79","CWE-116","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","CWE-116 CWE-116 Improper Encoding or Escaping of Output"],"metrics":[{"version":"3.1","source":"security@otrs.com","type":"Secondary","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2026-08/","name":"https://otrs.com/release-notes/otrs-security-advisory-2026-08/","refsource":"security@otrs.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-48209","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48209","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"OTRS AG","product":"OTRS","version":"affected 7.0.x","platforms":[]},{"source":"CNA","vendor":"OTRS AG","product":"((OTRS)) Community Edition","version":"affected 6.x","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Update to latest version of OTRS (2026.4.1. or later). Please note that there will be no OTRS 7 patches","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Special thanks to William Bastos (@chor4o) for reporting this vulnerability","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"OTRS","vendor":"OTRS AG","versions":[{"status":"affected","version":"7.0.x"}]},{"defaultStatus":"affected","product":"((OTRS)) Community Edition","vendor":"OTRS AG","versions":[{"status":"affected","version":"6.x"}]}],"credits":[{"lang":"en","type":"finder","value":"Special thanks to William Bastos (@chor4o) for reporting this vulnerability"}],"datePublic":"2026-06-01T07:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div>An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened.</div><div><br></div><div><p>This issue affects OTRS:</p><ul><li>7.0.x</li></ul>Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected<br></div><div><br></div><div><br></div>"}],"value":"An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened.\n\nThis issue affects OTRS:\n\n  *  7.0.x\n\nPlease note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected"}],"impacts":[{"capecId":"CAPEC-63","descriptions":[{"lang":"en","value":"CAPEC-63 Cross-Site Scripting (XSS)"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-116","description":"CWE-116 Improper Encoding or Escaping of Output","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-01T03:32:28.473Z","orgId":"2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8","shortName":"OTRS"},"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2026-08/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Update to latest version of OTRS (2026.4.1. or later). Please note that there will be no OTRS 7 patches<br>"}],"value":"Update to latest version of OTRS (2026.4.1. or later). Please note that there will be no OTRS 7 patches"}],"source":{"advisory":"OSA-2026-08","defect":["Ticket#2026052110000287","Ticket#2026041442001606"],"discovery":"EXTERNAL"},"title":"Reflected XSS in authenticated agent context","x_generator":{"engine":"Vulnogram 0.1.0-dev"}}},"cveMetadata":{"assignerOrgId":"2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8","assignerShortName":"OTRS","cveId":"CVE-2026-48209","datePublished":"2026-06-01T03:32:28.473Z","dateReserved":"2026-05-21T12:12:49.645Z","dateUpdated":"2026-06-01T03:32:28.473Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-01 04:16:23","lastModifiedDate":"2026-06-01 04:16:23","problem_types":["CWE-79","CWE-116","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","CWE-116 CWE-116 Improper Encoding or Escaping of Output"],"metrics":{"cvssMetricV31":[{"source":"security@otrs.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.2}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"48209","Ordinal":"1","Title":"Reflected XSS in authenticated agent context","CVE":"CVE-2026-48209","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"48209","Ordinal":"1","NoteData":"An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened.\n\nThis issue affects OTRS:\n\n  *  7.0.x\n\nPlease note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected","Type":"Description","Title":"Reflected XSS in authenticated agent context"}]}}}