Description
Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid configuration values that may match deployed installations.
Published: 2026-05-21
Score: 9.2 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open ISES Tickets before 3.44.2 embeds the MySQL database host, username, password, and database name directly in the source file import_mdb.php. Because these credentials are committed to the public repository, any observer of the code can read them. If the credentials mirror those used in a deployed installation, an attacker who obtains the source can establish a direct database connection and read or modify data, compromising both confidentiality and integrity.

Affected Systems

The vulnerability affects the Open ISES Tickets application, specifically versions earlier than 3.44.2. All installations of these pre‑3.44.2 releases that use the default hardcoded credentials are at risk.

Risk and Exploitability

The CVSS base score of 9.2 indicates a critical severity. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog, but the ease of obtaining the credentials from the public source and the high impact of database compromise suggest that exploitation is probable in environments that have not changed the defaults. The likely attack vector is a passive read of the source code followed by an active database connection attempt that succeeds if the credentials match the target's configuration.

Generated by OpenCVE AI on May 21, 2026 at 18:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Open ISES Tickets version 3.44.2 or later, which removes hardcoded credentials
  • If an upgrade is not immediately possible, replace the hardcoded credentials with secure, environment-specific values and commit the change to a private repository
  • Restrict database user privileges to the minimum required for application operation and ensure the database is access‑controlled behind a firewall

Generated by OpenCVE AI on May 21, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid configuration values that may match deployed installations.
Title Open ISES Tickets < 3.44.2 Hardcoded MySQL Database Credentials in import_mdb.php
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-21T17:11:00.452Z

Reserved: 2026-05-21T13:15:18.101Z

Link: CVE-2026-48242

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-21T18:16:21.220

Modified: 2026-05-21T19:10:12.323

Link: CVE-2026-48242

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T18:45:17Z

Weaknesses