Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.
Assigner (CNA / source):[email protected] Remove this filter
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2026-48188 | An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if the MySQL/MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X * (OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Ed | 9.1 | 0.36% | 2026-06-01 | 2026-06-17 |
| CVE-2023-5422 | The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS based communication. As the SSL_get_verify_result() function is not used the certificated is trusted always and it can not be ensured that the certificate satisfies all necessary security requirements. This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certi | 8.7 | 0.28% | 2023-10-16 | 2026-06-17 |
| CVE-2024-43444 | Passwords of agents and customers are displayed in plain text in the OTRS admin log module if certain configurations regarding the authentication sources match and debugging for the authentication backend has been enabled. This issue affects: * OTRS from 7.0.X through 7.0.50 * OTRS 8.0.X * OTRS 2023.X * OTRS from 2024.X through 2024.5.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected | 8.2 | 0.38% | 2024-08-26 | 2026-06-17 |
| CVE-2023-6254 | A Vulnerability in OTRS AgentInterface and ExternalInterface allows the reading of plain text passwords which are send back to the client in the server response- This issue affects OTRS: from 8.0.X through 8.0.37. | 8.1 | 0.65% | 2023-11-27 | 2026-06-17 |
| CVE-2023-2534 | Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with real names e. g. via ticket histories by any user. (Fuzzing for garnering other adjacent user/sensitive data). Subscribing to all possible push events could also lead to performance implications on the server side, depending on the size of the installation and th | 7.6 | 0.53% | 2023-05-08 | 2026-06-17 |
| CVE-2022-39052 | An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system | 7.5 | 0.56% | 2022-10-17 | 2026-06-17 |
| CVE-2021-21441 | There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions. | 7.5 | 1.22% | 2021-06-16 | 2026-06-16 |
| CVE-2023-1250 | Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. | 7.4 | 0.29% | 2023-03-20 | 2026-06-17 |
| CVE-2020-1773 | An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions. | 7.3 | 1.50% | 2020-03-27 | 2026-06-16 |
| CVE-2023-38056 | Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any authenticated attacker with admin privileges local execution of Code.This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. | 7.2 | 0.79% | 2023-07-24 | 2026-06-17 |
| CVE-2026-48209 | An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened. This issue affects OTRS: * 7.0.x Please note | 7.1 | 0.18% | 2026-06-01 | 2026-06-17 |
| CVE-2025-24390 | A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X | 6.8 | 0.19% | 2025-01-27 | 2026-06-17 |
| CVE-2022-39051 | Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package | 6.8 | 0.66% | 2022-09-05 | 2026-06-17 |
| CVE-2026-48208 | An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent or customer. The issue can be exploited without JavaScript execution and is not mitigated by the configured Content Security Policy (CSP). This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X | 6.5 | 0.27% | 2026-06-01 | 2026-06-17 |
| CVE-2022-4427 | Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. | 6.5 | 0.71% | 2022-12-19 | 2026-06-17 |
| CVE-2021-36092 | It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions. | 6.5 | 0.72% | 2021-07-26 | 2026-06-16 |
| CVE-2021-21439 | DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions. | 6.5 | 0.98% | 2021-06-14 | 2026-06-16 |
| CVE-2020-1772 | It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. | 6.5 | 1.62% | 2020-03-27 | 2026-06-16 |
| CVE-2021-36100 | Specially crafted string in OTRS system configuration can allow the execution of any system command. | 6.4 | 1.30% | 2022-03-21 | 2026-06-16 |
| CVE-2025-24389 | Certain errors of the upstream libraries will insert sensitive information in the OTRS or ((OTRS)) Community Edition log mechanism and mails send to the system administrator. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected | 6.3 | 0.13% | 2025-01-27 | 2026-06-17 |