Description
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the _type POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Published: 2026-05-21
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the landb.php script of Open ISES Tickets. An authenticated attacker can exploit an unsanitized _type POST parameter that is echoed directly into an HTML hidden input value attribute. This results in reflected cross-site scripting, enabling the attacker to run arbitrary JavaScript on the victim’s browser when the response is rendered. The consequences include session hijacking, data theft, and possible defacement of the application, as the attack is performed within the context of the authenticated user’s session.

Affected Systems

All versions of Open ISES Tickets older than 3.44.2 are affected. The vulnerability is limited to the landb.php endpoint and applies to the Open ISES:Tickets product.

Risk and Exploitability

The CVSS score for this flaw is 5.1, indicating a medium severity. No exploit probability data is available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers must be authenticated to the ticketing system and must send a crafted POST request to landb.php. Once the victim loads the generated page, the injected JavaScript executes, which can compromise the victim’s session or exfiltrate sensitive data.

Generated by OpenCVE AI on May 21, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to Open ISES Tickets version 3.44.2 or later, which removes the unsanitized handling of the _type parameter.
  • Restrict access to the landb.php endpoint so that only users who truly need this functionality can use it, thereby lowering the likelihood that an attacker can reach the vulnerable code.
  • If an immediate upgrade is not possible, modify the landb.php script to properly escape or sanitize the _type value before rendering it in the hidden input attribute, or temporarily disable the affected functionality.

Generated by OpenCVE AI on May 21, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the _type POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Title Open ISES Tickets < 3.44.2 Reflected XSS via landb.php _type Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-21T19:03:20.764Z

Reserved: 2026-05-21T13:15:18.100Z

Link: CVE-2026-48225

cve-icon Vulnrichment

Updated: 2026-05-21T19:03:03.944Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T18:16:19.000

Modified: 2026-05-21T19:10:12.323

Link: CVE-2026-48225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T18:30:16Z

Weaknesses