Description
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim's browser when the URL is visited.
Published: 2026-05-20
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open ISES Tickets before version 3.44.2 is vulnerable to reflected cross‑site scripting. The ticket_id GET parameter is written directly into a hidden INPUT element’s VALUE attribute without sanitization, allowing an attacker to inject arbitrary JavaScript. When a victim opens a crafted URL, the script executes in their browser, potentially enabling session hijacking, credential theft, or defacement. This vulnerability is the classic CWE‑79 reflected XSS scenario.

Affected Systems

The affected product is Open ISES Tickets for the vendor openises:tickets. All releases older than 3.44.2 are impacted. No specific sub‑versions beyond the version cutoff are listed.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. The EPSS score is not available, so the current exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user able to access the system and the malicious URL; the attacker must craft a link containing a ticket_id payload. Once the user visits the link, the injected code runs with the victim’s browser context, providing a significant attack surface for client‑side payloads.

Generated by OpenCVE AI on May 20, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open ISES Tickets to version 3.44.2 or later.
  • Sanitize or encode the ticket_id GET parameter before rendering it in the hidden INPUT element’s VALUE attribute.
  • Implement a web application firewall rule or Content Security Policy to block injected scripts from executing.

Generated by OpenCVE AI on May 20, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim's browser when the URL is visited.
Title Open ISES Tickets < 3.44.2 Reflected XSS via routes_nm.php ticket_id Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-20T19:40:14.320Z

Reserved: 2026-03-31T20:40:15.618Z

Link: CVE-2026-35014

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:38.780

Modified: 2026-05-20T20:16:38.780

Link: CVE-2026-35014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T21:30:36Z

Weaknesses