Description
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in db_loader.php where the multiple POST parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) are concatenated into mysqli connection arguments and dynamic SQL operating against an attacker-controlled database without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.
Published: 2026-05-21
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open ISES Tickets versions prior to 3.44.2 suffer from a SQL injection flaw in db_loader.php. The script concatenates four POST parameters—ticketsdb, ticketshost, ticketsuser, ticketspassword—into mysqli connection arguments and forms dynamic SQL that is sent to an attacker‑controlled database. Because no input sanitization or prepared statements are used, an authenticated attacker can craft requests that alter query semantics, allowing read, write or delete operations against any configured database.

Affected Systems

Affected deployments include all instances of Open ISES Tickets running a version older than 3.44.2. The vulnerability can be exercised by any user who has authenticated access to the web application, as the POST parameters are accepted through the public endpoint db_loader.php.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity level. The EPSS score is not available, and the issue is not listed in CISA KEV. The likely attack vector is an authenticated HTTP POST request to db_loader.php. Because the flaw requires validity of credentials, the risk is confined to accounts with database management privileges, but the impact on data confidentiality, integrity and availability is significant once exploited.

Generated by OpenCVE AI on May 21, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open ISES Tickets to version 3.44.2 or later to apply the vendor‑supplied fix.
  • If an upgrade is not immediately possible, restrict or disable the db_loader.php endpoint for authenticated users to prevent the injection vector.
  • Validate that database access permissions follow least‑privilege principles and consider disabling remote access to the database from the application if not needed.

Generated by OpenCVE AI on May 21, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in db_loader.php where the multiple POST parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) are concatenated into mysqli connection arguments and dynamic SQL operating against an attacker-controlled database without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.
Title Open ISES Tickets < 3.44.2 SQL Injection via db_loader.php Multiple Parameters
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-21T17:10:40.515Z

Reserved: 2026-05-21T13:15:18.101Z

Link: CVE-2026-48236

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-21T18:16:20.440

Modified: 2026-05-21T19:10:12.323

Link: CVE-2026-48236

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T18:45:17Z

Weaknesses