SECURITY ADVISORY

OTOBO 11.0.9 – Security Patch

[Security | high] Privilege escalation vulnerability resolved (CVE-2025-43926)
Thanks to a report by Tim Püttmanns (maxence), a potential security vulnerability has been fixed. This update enhances the security of your OTOBO environment and helps prevent unauthorized access. After updating the core, please ensure that all affected add-ons are updated via the package manager.

[Enhancement] The ticket search now supports searching for selected subfields of the Dynamic Field Set – making it easier to find specific information. [#4261]
[Enhancement] A new option (Ticket::Frontend::AsteriskExplanation) allows to display an explanatory note at the top of forms: “Fields marked with * are mandatory.” – This promotes accesssibility. [#3954]

[Bugfix] Resolved an issue in the customer ticket form where ticket creation failed if a DateTime field was hidden and past dates were not allowed. [#4238]
[Bugfix] Fixed missing translations for dynamic field titles on mouse hover – titles are now displayed correctly. [#4196]
[Bugfix] Fixed an issue where the dynamic field TicketReference did not correctly find ticket numbers. [#4303]
[Bugfix] Fixed an error that occurred when clearing the dynamic field Database in multiselect mode. [#4301]