Description
Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.
Published: 2026-01-12
Score: 8.7 High
EPSS: 75.4% High
KEV: No
Impact: Arbitrary File Read
Action: Immediate Patch
AI Analysis

Impact

Enhancesoft osTicket versions 1.18.x earlier than 1.18.3 and 1.17.x earlier than 1.17.7 expose an arbitrary file read flaw in their PDF export routine. The flaw arises because rich‑text HTML in submitted tickets is processed by the mPDF generator without proper sanitization of PHP filter expressions. When an attacker creates a ticket with crafted HTML and later triggers a PDF export, the resulting document can embed the contents of any files chosen by the attacker from the server’s local filesystem as bitmap images, leaking sensitive data to the application user who views the PDF. This vulnerability is tied to CWE-74, which describes improper handling of data via input that can influence system behavior.

Affected Systems

The affected vendor is Enhancesoft, specifically the osTicket ticket management application. Versions 1.18.x before 1.18.3 and 1.17.x before 1.17.7 are vulnerable. No other versions or additional vendors were identified from the CNA data.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity impact, and an EPSS rating of 75% suggests a high probability of exploitation in real-world scenarios. Although the flaw is not listed in the CISA KEV catalog, the default configuration of many installations allows guests or self‑registered users to submit tickets and obtain export, thereby giving an attacker a straightforward remote entry path. The lack of mandatory sanitization makes the vulnerability easy to exploit once a ticket is created, leading to privileged disclosure of local files within the application context.

Generated by OpenCVE AI on April 16, 2026 at 08:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade osTicket to version 1.18.3 or later, or to version 1.17.7 or later, which contain the fix for the PDF export file inclusion issue.
  • If an upgrade is delayed, immediately restrict access to PDF export for anonymous or self‑registered users, ensuring that only authenticated and authorized personnel can generate ticket PDFs.
  • Review and tighten the application’s guest and self‑registration settings; disable them if they are not required, to eliminate the attack vector that relies on ticket creation by unauthenticated users.

Generated by OpenCVE AI on April 16, 2026 at 08:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:enhancesoft:osticket:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 15:45:00 +0000

Type Values Removed Values Added
Description Enhancesoft osTicket versions 1.18.3 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled. Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.
Title osTicket < 1.18.3 PDF Export Arbitrary File Read osTicket (1.18.x < 1.18.3, 1.17.x < 1.17.7) PDF Export Arbitrary File Read
References

Thu, 15 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
References

Thu, 15 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
Description Enhancesoft osTicket versions up to and including 1.18.2 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled. Enhancesoft osTicket versions 1.18.3 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.
Title osTicket <= 1.18.2 PDF Export Arbitrary File Read osTicket < 1.18.3 PDF Export Arbitrary File Read
References

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Enhancesoft
Enhancesoft osticket
Vendors & Products Enhancesoft
Enhancesoft osticket

Mon, 12 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
Description Enhancesoft osTicket versions up to and including 1.18.2 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.
Title osTicket <= 1.18.2 PDF Export Arbitrary File Read
Weaknesses CWE-74
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Enhancesoft Osticket
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T15:44:09.610Z

Reserved: 2026-01-06T16:47:17.184Z

Link: CVE-2026-22200

cve-icon Vulnrichment

Updated: 2026-01-12T18:54:52.084Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T19:16:02.933

Modified: 2026-01-27T20:27:55.677

Link: CVE-2026-22200

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T08:45:26Z

Weaknesses