CVE-2026-48208

Name of the Vulnerable Software and Affected Versions OTRS versions 7.0.X OTRS versions 8.0.X OTRS versions 2023.X OTRS versions 2024.X OTRS versions 2025.X OTRS versions prior to 2026.4.X OTRS Community Edition versions 6.x and earlier

Description Improper neutralization of active SVG content in ticket article rendering allows attackers to inject specially crafted SVG payloads through email content. This leads to browser-side resource exhaustion and denial of service when an agent or customer opens the affected tickets. The issue does not require JavaScript execution and is not mitigated by the configured Content Security Policy (CSP), which is a security layer that helps detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

Recommendations Update OTRS versions 7.0.X, 8.0.X, 2023.X, 2024.X, and 2025.X to a version containing the fix. Update OTRS version 2026.X to version 2026.4.X or later. Update OTRS Community Edition version 6.x and earlier to a patched version.