Description
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim's browser when the URL is visited.
Published: 2026-05-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open ISES Tickets before version 3.44.2 is vulnerable to reflected cross‑site scripting. The ticket_id GET parameter is written directly into a hidden INPUT element’s VALUE attribute without sanitization, allowing an attacker to inject arbitrary JavaScript. When a victim opens a crafted URL, the script executes in their browser, potentially enabling session hijacking, credential theft, or defacement. This vulnerability is the classic CWE‑79 reflected XSS scenario.

Affected Systems

The affected product is Open ISES Tickets for the vendor openises:tickets. All releases older than 3.44.2 are impacted. No specific sub‑versions beyond the version cutoff are listed.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. The EPSS score is not available, so the current exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user able to access the system and the malicious URL; the attacker must craft a link containing a ticket_id payload. Once the user visits the link, the injected code runs with the victim’s browser context, providing a significant attack surface for client‑side payloads.

Generated by OpenCVE AI on May 20, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open ISES Tickets to version 3.44.2 or later.
  • Sanitize or encode the ticket_id GET parameter before rendering it in the hidden INPUT element’s VALUE attribute.
  • Implement a web application firewall rule or Content Security Policy to block injected scripts from executing.

Generated by OpenCVE AI on May 20, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Openises
Openises tickets
Vendors & Products Openises
Openises tickets

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim's browser when the URL is visited.
Title Open ISES Tickets < 3.44.2 Reflected XSS via routes_nm.php ticket_id Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Openises Tickets
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-21T12:30:09.646Z

Reserved: 2026-03-31T20:40:15.618Z

Link: CVE-2026-35014

cve-icon Vulnrichment

Updated: 2026-05-21T12:30:03.503Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T20:16:38.780

Modified: 2026-05-21T15:17:59.850

Link: CVE-2026-35014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T08:18:47Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')