Description
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id POST parameter directly into an HTML form input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Published: 2026-05-21
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open ISES Tickets before version 3.44.2 contains a reflected cross‑site scripting flaw in add.php. An authenticated attacker can send a crafted POST request with an unsanitized ticket_id parameter, and the supplied JavaScript is reflected back into a form value attribute. When the response is rendered, the code executes in the victim’s browser, enabling session hijacking, credential theft, or defacement.

Affected Systems

The vulnerability affects the Open ISES:Tickets application. All deployments running a version older than 3.44.2 are potentially impacted, including any environment where authenticated users can access the add.php endpoint.

Risk and Exploitability

The CVSS score of 5.1 denotes moderate severity. EPSS data is not available and the flaw is not listed in CISA KEV, indicating no documented mass exploitation. An attacker must be authenticated and able to craft a POST request to /add.php. The exploit causes code to run in the victim’s browser when the response is seen. It is inferred that user interaction, such as clicking a malicious link, is necessary to trigger the reflected payload, as the description does not explicitly state the interaction requirement.

Generated by OpenCVE AI on May 21, 2026 at 19:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open ISES Tickets to version 3.44.2 or later, which contains the fix for the ticket_id input handling.
  • If an upgrade is not immediately possible, restrict or remove authenticated access to the add.php functionality to prevent malicious POST submissions.
  • Configure a web application firewall or equivalent filtering to block POST requests to add.php that contain suspicious script payloads in the ticket_id parameter.

Generated by OpenCVE AI on May 21, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id POST parameter directly into an HTML form input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Title Open ISES Tickets < 3.44.2 Reflected XSS via add.php ticket_id Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-21T19:32:00.813Z

Reserved: 2026-05-21T13:15:18.099Z

Link: CVE-2026-48213

cve-icon Vulnrichment

Updated: 2026-05-21T19:31:54.221Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T17:16:22.370

Modified: 2026-05-21T19:10:12.323

Link: CVE-2026-48213

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T19:15:20Z

Weaknesses