This week's bugs to patch: a critical OTRS flaw and a Linux root hole on CISA's list

Two vulnerabilities are worth moving on this week, for different reasons. One is a critical flaw in a widely used service-desk platform with a public advisory. The other is a Linux privilege-escalation bug the US cyber agency has confirmed is already being exploited. Neither needs drama. Both need patching.

OTRS: a pre-auth SQL injection

OTRS is a ticketing and service-management platform used by IT and support teams. CVE-2026-48188 CVSS 9.1 Critical is an unauthenticated SQL-injection flaw in its database layer that can lead to an authentication bypass, disclosed on 1 June. No login is needed to attempt it. One condition narrows the blast radius: per the advisory, the system is only affected when its MySQL or MariaDB database runs in NO_BACKSLASH_ESCAPES mode. Affected releases run from the 7.0 and 8.0 lines through the 2023 to 2026 versions before 2026.4. Patch to a fixed build, and check the database SQL mode while you are there.

Linux: a root bug already exploited

On 27 May, CISA added a Linux privilege-escalation flaw to its Known Exploited Vulnerabilities catalogue, alongside two others. A KEV listing is the signal that matters: it means real exploitation, not a theoretical risk. The Linux bug lets a local attacker escalate to root, per The Hacker News, which turns a minor foothold into full control of a machine.

The pattern

This week also saw an actively exploited Palo Alto firewall flaw added to the same catalogue, which we covered separately. Read the three together and the lesson is dull and reliable: the bugs getting exploited are in the software organisations run every day, and the fix is to patch on the published timeline rather than wait for an incident to force it.

Note: Defensive reporting for patch prioritisation. No exploit code or proof-of-concept is reproduced here.