Daniel Triznafor

**Name of the Vulnerable Software and Affected Versions** OTRS versions 7.0.x through 2026.3.x OTRS Community Edition version 6.0.x **Description** Improper input validation in the database layer module allows an unauthenticated SQL injection, which can lead to an authentication bypass. This enables attackers to impersonate any user and access all tickets and sensitive data. The issue only occurs if the MySQL/MariaDB server is configured with the `NO BACKSLASH ESCAPES` SQL mode. **Recommendations** Update OTRS to version 2026.4 or newer. As a temporary mitigation, ensure the MySQL/MariaDB server is not running with the `NO BACKSLASH ESCAPES` SQL mode enabled.

**Name of the Vulnerable Software and Affected Versions** OTRS versions 7.0.X OTRS versions 8.0.X OTRS versions 2023.X OTRS versions 2024.X OTRS versions 2025.X OTRS versions prior to 2026.4.X OTRS Community Edition versions 6.x and earlier **Description** Improper neutralization of active SVG content in ticket article rendering allows attackers to inject specially crafted SVG payloads through email content. This leads to browser-side resource exhaustion and denial of service when an agent or customer opens the affected tickets. The issue does not require JavaScript execution and is not mitigated by the configured Content Security Policy (CSP), which is a security layer that helps detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. **Recommendations** Update OTRS versions 7.0.X, 8.0.X, 2023.X, 2024.X, and 2025.X to a version containing the fix. Update OTRS version 2026.X to version 2026.4.X or later. Update OTRS Community Edition version 6.x and earlier to a patched version.