Description
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in db_loader.php where the multiple POST parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) are concatenated into mysqli connection arguments and dynamic SQL operating against an attacker-controlled database without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.
Published: 2026-05-21
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open ISES Tickets versions prior to 3.44.2 suffer from a SQL injection flaw in db_loader.php. The script concatenates four POST parameters—ticketsdb, ticketshost, ticketsuser, ticketspassword—into mysqli connection arguments and forms dynamic SQL that is sent to an attacker‑controlled database. Because no input sanitization or prepared statements are used, an authenticated attacker can craft requests that alter query semantics, allowing read, write or delete operations against any configured database.

Affected Systems

Affected deployments include all instances of Open ISES Tickets running a version older than 3.44.2. The vulnerability can be exercised by any user who has authenticated access to the web application, as the POST parameters are accepted through the public endpoint db_loader.php.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity level. The EPSS score is not available, and the issue is not listed in CISA KEV. The likely attack vector is an authenticated HTTP POST request to db_loader.php. Because the flaw requires validity of credentials, the risk is confined to accounts with database management privileges, but the impact on data confidentiality, integrity and availability is significant once exploited.

Generated by OpenCVE AI on May 21, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open ISES Tickets to version 3.44.2 or later to apply the vendor‑supplied fix.
  • If an upgrade is not immediately possible, restrict or disable the db_loader.php endpoint for authenticated users to prevent the injection vector.
  • Validate that database access permissions follow least‑privilege principles and consider disabling remote access to the database from the application if not needed.

Generated by OpenCVE AI on May 21, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Openises
Openises tickets
Vendors & Products Openises
Openises tickets

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in db_loader.php where the multiple POST parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) are concatenated into mysqli connection arguments and dynamic SQL operating against an attacker-controlled database without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.
Title Open ISES Tickets < 3.44.2 SQL Injection via db_loader.php Multiple Parameters
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openises Tickets
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-23T02:23:07.220Z

Reserved: 2026-05-21T13:15:18.101Z

Link: CVE-2026-48236

cve-icon Vulnrichment

Updated: 2026-05-23T02:23:01.294Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T18:16:20.440

Modified: 2026-05-21T19:10:12.323

Link: CVE-2026-48236

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T12:30:27Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')