Cyber Resilience

CVE-2026-48209

HighUpdated

Published: 01 June 2026

Published
01 June 2026
Modified
15 June 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
EPSS Score 0.0022 12.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-48209 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Otrs Otrs. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 12.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs,…

more

attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened. This issue affects OTRS: * 7.0.x Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Reflected XSS directly enables browser session hijacking by allowing arbitrary script execution in an authenticated web session context.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-69392Shared CWE-79
CVE-2025-0370Shared CWE-79
CVE-2025-67959Shared CWE-79
CVE-2026-24833Shared CWE-79
CVE-2025-27380Shared CWE-79
CVE-2026-35569Shared CWE-116, CWE-79
CVE-2026-23819Shared CWE-79
CVE-2025-25823Shared CWE-79
CVE-2025-41420Shared CWE-79
CVE-2026-44729Shared CWE-79

Affected Assets

otrs
otrs
≤ 6.0.32 · 7.0.0 — 7.0.49

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79 CWE-116

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

References