Home

Description

An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent or customer. The issue can be exploited without JavaScript execution and is not mitigated by the configured Content Security Policy (CSP). This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected

PUBLISHED Reserved 2026-05-21 | Published 2026-06-01 | Updated 2026-06-01 | Assigner OTRS




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Problem types

CWE-400 Uncontrolled Resource Consumption

CWE-791 Incomplete Filtering of Special Elements

Product status

Default status
affected

7.0.x
affected

8.0.x
affected

2023.x
affected

2024.x
affected

2025.x
affected

2026.x (patch)
affected

Default status
affected

6.x
affected

Credits

Special thanks to Daniel Triznafor reporting this vulnerability reporter

References

otrs.com/release-notes/otrs-security-advisory-2026-07/

cve.org (CVE-2026-48208)

nvd.nist.gov (CVE-2026-48208)

Download JSON