PatchSiren cyber security CVE debrief
CVE-2026-9507 Enhancesoft CVE debrief
A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim's account by keeping the initial session identifier (OSTSESSID) active after a successful login. The issue lies in the fact that the application does not invalidate the pre-authentication cookie or generate a new identifier for the authenticated context. As a result, if an attacker manages to set a known session identifier in the victim's browser, they will be able to maintain unauthorized access to the account once the victim has authenticated.
- Vendor
- Enhancesoft
- Product
- osTicket
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Users of osTicket v1.18.2
Technical summary
The vulnerability has a CVSS score of 5.1 and is classified as MEDIUM severity. The CVE record can be found at [cve-org]. More details are available at [nvd].
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a patched version of osTicket
- Invalidate pre-authentication cookies after login
- Generate new session identifiers for authenticated contexts
Evidence notes
The vulnerability was reported by Incibe. More information can be found at [ref-4].
Official resources
-
CVE-2026-9507 CVE record
CVE.org
-
CVE-2026-9507 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-9507 was published on 2026-06-16T13:16:38.140Z and has not been modified since then.