PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-22200 Enhancesoft CVE debrief

CVE-2026-22200 is an arbitrary file read vulnerability in Enhancesoft osTicket. The vulnerability exists in versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7. A remote attacker can exploit this vulnerability by submitting a crafted ticket containing rich-text HTML with PHP filter expressions. These expressions are insufficiently sanitized before being processed by the mPDF PDF generator during export. As a result, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images. This allows for the disclosure of sensitive local files in the context of the osTicket application user. The vulnerability is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.

Vendor
Enhancesoft
Product
osTicket
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-12
Original CVE updated
2026-07-14
Advisory published
2026-01-12
Advisory updated
2026-07-14

Who should care

System administrators and security teams responsible for osTicket installations, particularly those allowing guest ticket creation or self-registration, should be aware of this vulnerability. Users of osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 are at risk and should apply patches or mitigations.

Technical summary

The CVE-2026-22200 vulnerability in Enhancesoft osTicket allows remote attackers to read arbitrary files by exploiting the ticket PDF export functionality. Attackers can submit crafted tickets with rich-text HTML containing PHP filter expressions. These expressions are not properly sanitized before being processed by the mPDF PDF generator. As a result, the generated PDF can include contents of files from the server filesystem as bitmap images. This vulnerability exists in osTicket versions 1.18.x before 1.18.3 and 1.17.x before 1.17.7. It can be exploited in default configurations where guests can create tickets or self-registration is enabled.

Defensive priority

High

Recommended defensive actions

  • Apply patches: Upgrade to osTicket version 1.18.3 or later for 1.18.x installations, and version 1.17.7 or later for 1.17.x installations.
  • Restrict ticket creation: Limit ticket creation to authenticated users or disable self-registration if not necessary.
  • Monitor for suspicious activity: Regularly check for unusual PDF export requests or anomalies in ticket submissions.
  • Implement additional security controls: Consider using a web application firewall (WAF) to detect and prevent exploitation attempts.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE-2026-22200 vulnerability was publicly disclosed on January 12, 2026. The NVD entry was last modified on July 14, 2026. Multiple sources, including the official CVE record and NVD detail pages, confirm the existence and details of this vulnerability. Exploit information and mitigation strategies are available from various sources, including vendor releases and security advisories.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-01-12T19:16:02.933Z and has not been modified since then. The NVD entry is currently Analyzed.