PatchSiren cyber security CVE debrief
CVE-2026-48215 Open ISES CVE debrief
CVE-2026-48215 is a reflected cross-site scripting issue in Open ISES Tickets before 3.44.2. Authenticated attackers can pass an unsanitized frm_id value to circle.php, where it is reflected into an HTML form input value attribute and can execute JavaScript in a victim's browser when the response is rendered. The issue is tracked by NVD with a published date of 2026-05-21 and references a fix commit plus the 3.44.2 release tag.
- Vendor
- Open ISES
- Product
- Tickets
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and developers running Open ISES Tickets versions earlier than 3.44.2, especially if authenticated users can access circle.php. Security teams should prioritize any deployment where browser session context could be exposed through reflected script execution.
Technical summary
The vulnerability is a reflected XSS (CWE-79) in circle.php. The frm_id POST parameter is not properly sanitized before being inserted into an HTML input value attribute, which allows attacker-controlled script content to be reflected back to the browser. Because the attack requires an authenticated request and user interaction to render the malicious response, the practical impact is primarily session/browser compromise within the application context rather than direct server-side execution.
Defensive priority
Medium. The CVSS score is 5.1 and the attack requires authentication plus user interaction, but reflected XSS can still expose sessions, tokens, or privileged application actions.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Review any code paths that render frm_id or similar request parameters into HTML and ensure context-appropriate output encoding.
- Audit authenticated endpoints for reflected input handling, especially in form attributes and other browser-rendered contexts.
- If immediate upgrade is not possible, restrict access to affected application areas and monitor for suspicious authenticated requests targeting circle.php.
- Validate that security controls such as Content Security Policy and secure session handling are in place, while treating them as defense-in-depth rather than a fix.
Evidence notes
The vulnerability description, affected version boundary, CWE-79 classification, and reference links are taken from the supplied NVD source item metadata and CVE description. The source item was published on 2026-05-21 and last modified the same day. NVD metadata marks the vuln status as Deferred. The vendor attribution in the supplied corpus is low-confidence/needs review, so product naming is kept aligned to the source description rather than inferred beyond the provided evidence.
Official resources
Publicly disclosed in the supplied source record on 2026-05-21; NVD metadata lists the vulnerability status as Deferred. The supplied references point to a remediation commit and the 3.44.2 release tag.