CVE-2026-48213 Open ISES CVE debrief

Who should care

Administrators and security teams running Open ISES Tickets, especially deployments that expose add.php to authenticated users. Any organization that allows lower-trust or broad internal users to interact with ticket creation workflows should treat this as a browser-side injection risk.

Technical summary

The vulnerable flow reflects user-controlled ticket_id data into HTML without proper sanitization or encoding. Because the value lands in an attribute context, a crafted payload can break out of the intended value and execute script in the browser. The issue is tracked as CWE-79 and is fixed in Open ISES Tickets v3.44.2 per the referenced release and commit.

Defensive priority

Medium. The issue requires authentication and user interaction, but successful exploitation can execute script in a victim session and enable phishing, session abuse, or unauthorized actions in the application context.

Recommended defensive actions

• Upgrade Open ISES Tickets to version 3.44.2 or later.
• Review any backports, forks, or customizations to confirm the ticket_id value is HTML-escaped before rendering in add.php.
• Validate that other request parameters are not reflected into HTML attribute contexts without encoding.
• Use layered browser defenses where practical, such as a restrictive Content Security Policy and secure cookie settings.
• If immediate upgrade is not possible, limit access to the affected authenticated workflow to the smallest practical user set.

Evidence notes

The NVD record for CVE-2026-48213 cites a VulnCheck disclosure and references a fixing commit plus the v3.44.2 release tag. The CVE description states the flaw affects Open ISES Tickets before 3.44.2 and that the vulnerable sink is add.php with the ticket_id POST parameter. NVD currently marks the vulnerability status as Deferred in the provided source item.

Official resources