CVE-2026-48188

Received
Published: 01 Jun 2026, 03:33
Last modified:01 Jun 2026, 03:33

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.1 CRITICAL
v3.1 (cve.org)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

01 Jun 2026, 03:33
Published
Vulnerability first disclosed

Description

An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if the MySQL/MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X * (OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected

CVSS Metrics

  • v3.1CRITICALScore: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Techniques & Countermeasures

  • CWE-20Improper Input Validation

    The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

  • otrs agotrs

    ≥ 7.0.0, < 7.1.0 | ≥ 8.0.0, < 8.1.0 | ≥ 2023.0, < 2024.0 | ≥ 2024.0, < 2025.0 | ≥ 2025.0, < 2026.0 | ≥ 2026.x, ≤ 2026.3.x

  • otrs ag((otrs)) community edition

    ≥ 6.0, < 7.0

References (1)