PatchSiren cyber security CVE debrief
CVE-2026-22200 Enhancesoft CVE debrief
CVE-2026-22200 is an arbitrary file read vulnerability in Enhancesoft osTicket. The vulnerability exists in versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7. A remote attacker can exploit this vulnerability by submitting a crafted ticket containing rich-text HTML with PHP filter expressions. These expressions are insufficiently sanitized before being processed by the mPDF PDF generator during export. As a result, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images. This allows for the disclosure of sensitive local files in the context of the osTicket application user. The vulnerability is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.
- Vendor
- Enhancesoft
- Product
- osTicket
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-12
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-01-12
- Advisory updated
- 2026-07-14
Who should care
System administrators and security teams responsible for osTicket installations, particularly those allowing guest ticket creation or self-registration, should be aware of this vulnerability. Users of osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 are at risk and should apply patches or mitigations.
Technical summary
The CVE-2026-22200 vulnerability in Enhancesoft osTicket allows remote attackers to read arbitrary files by exploiting the ticket PDF export functionality. Attackers can submit crafted tickets with rich-text HTML containing PHP filter expressions. These expressions are not properly sanitized before being processed by the mPDF PDF generator. As a result, the generated PDF can include contents of files from the server filesystem as bitmap images. This vulnerability exists in osTicket versions 1.18.x before 1.18.3 and 1.17.x before 1.17.7. It can be exploited in default configurations where guests can create tickets or self-registration is enabled.
Defensive priority
High
Recommended defensive actions
- Apply patches: Upgrade to osTicket version 1.18.3 or later for 1.18.x installations, and version 1.17.7 or later for 1.17.x installations.
- Restrict ticket creation: Limit ticket creation to authenticated users or disable self-registration if not necessary.
- Monitor for suspicious activity: Regularly check for unusual PDF export requests or anomalies in ticket submissions.
- Implement additional security controls: Consider using a web application firewall (WAF) to detect and prevent exploitation attempts.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE-2026-22200 vulnerability was publicly disclosed on January 12, 2026. The NVD entry was last modified on July 14, 2026. Multiple sources, including the official CVE record and NVD detail pages, confirm the existence and details of this vulnerability. Exploit information and mitigation strategies are available from various sources, including vendor releases and security advisories.
Official resources
-
CVE-2026-22200 CVE record
CVE.org
-
CVE-2026-22200 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Source reference
[email protected] - Exploit
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-01-12T19:16:02.933Z and has not been modified since then. The NVD entry is currently Analyzed.