CVE-2026-1048 identifies a cross-site scripting (XSS) vulnerability in LigeroSmart, a web-based ticketing and customer support platform, affecting all versions up to 6.1.26. The flaw resides in the handling of the TicketID parameter within the /otrs/index.pl?Action=AgentTicketZoom endpoint. Specifically, the application fails to properly sanitize or encode user-supplied input in this parameter, enabling attackers to inject arbitrary JavaScript code. This vulnerability can be triggered remotely without authentication, although it requires user interaction, such as a victim clicking a maliciously crafted URL. The injected script could execute in the context of the victim’s browser, potentially allowing attackers to steal session cookies, perform actions on behalf of the user, or conduct phishing attacks. The CVSS 4.0 base score is 5.1 (medium), reflecting the ease of remote exploitation and the limited scope of impact primarily on confidentiality and integrity. The vendor was notified early but has not yet issued a patch or official response. Public exploit code is available, increasing the risk of opportunistic attacks. LigeroSmart is commonly used in IT service management and customer support environments, making this vulnerability relevant for organizations relying on this software for ticket tracking and communication.

The primary impact of this vulnerability is the potential compromise of user sessions and data confidentiality through the execution of malicious scripts in the victim’s browser. Attackers could hijack user sessions, steal sensitive information, or manipulate the user interface to conduct phishing or social engineering attacks. While the vulnerability does not directly affect system availability or integrity of backend data, successful exploitation could lead to unauthorized actions performed by the victim user, potentially escalating to broader access depending on user privileges. Organizations using LigeroSmart for customer support or internal ticketing may face reputational damage, data leakage, and increased risk of targeted attacks. The lack of vendor response and patch increases exposure, especially as public exploit code is available. The medium severity rating reflects the moderate risk, but the ease of remote exploitation without authentication makes it a significant concern for affected deployments.

1. Implement immediate input validation and output encoding on the TicketID parameter to neutralize malicious scripts. 2. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting /otrs/index.pl?Action=AgentTicketZoom with anomalous TicketID values. 3. Restrict access to the affected endpoint to trusted IP ranges or authenticated users where possible, reducing exposure. 4. Educate users to avoid clicking on suspicious links and enable browser security features such as Content Security Policy (CSP) to limit script execution. 5. Monitor logs for unusual activity related to this endpoint and TicketID parameter to detect exploitation attempts. 6. Engage with the LigeroSmart vendor or community to obtain patches or updates addressing this vulnerability. 7. Consider temporary mitigation by disabling or restricting the vulnerable functionality if feasible until an official patch is available.