Description
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in os_watch.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ref and mode_orig POST parameters directly into HTML form hidden input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Published: 2026-05-21
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw located in os_watch.php. An authenticated attacker can submit crafted POST data via the ref and mode_orig parameters and have the unfiltered value echoed back into a hidden input field. When the victim’s browser renders the response, the injected JavaScript executes, allowing the attacker to steal session data, deface pages, or perform other malicious actions in the context of the user.

Affected Systems

Open ISES Tickets is affected. All releases prior to version 3.44.2 contain the flaw, regardless of the environment or configuration. Users running any earlier minor or major release remain vulnerable until they upgrade to 3.44.2 or later.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate impact. The issue requires authenticated access; therefore an attacker must first compromise a user account before exploiting it. The EPSS score is not available and the vendor has not listed this vulnerability in the CISA KEV catalog. Nonetheless, because the flaw allows arbitrary script execution in a browser session, the potential damage to confidentiality and integrity remains significant if a legitimate user is lured to a maliciously crafted request. The risk is that authenticated users could have their session hijacked or be subjected to further malicious activity on the host system.

Generated by OpenCVE AI on May 21, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open ISES Tickets to version 3.44.2 or newer to eliminate the vulnerable code path.
  • If an immediate upgrade is infeasible, block or filter POST requests that contain the ref and mode_orig parameters, or enforce a web application firewall rule to reject payloads that encode script tags.
  • Implement client‑side or server‑side input validation to ensure that any user‑supplied data that may appear in hidden input fields is properly escaped before being embedded in HTML.

Generated by OpenCVE AI on May 21, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in os_watch.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ref and mode_orig POST parameters directly into HTML form hidden input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Title Open ISES Tickets < 3.44.2 Reflected XSS via os_watch.php ref and mode_orig Parameters
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-21T18:17:43.859Z

Reserved: 2026-05-21T13:15:18.100Z

Link: CVE-2026-48226

cve-icon Vulnrichment

Updated: 2026-05-21T18:17:29.790Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T18:16:19.127

Modified: 2026-05-21T19:10:12.323

Link: CVE-2026-48226

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T18:30:16Z

Weaknesses