PatchSiren cyber security CVE debrief
CVE-2026-48217 Open ISES CVE debrief
CVE-2026-48217 is a reflected cross-site scripting issue in Open ISES Tickets, affecting versions before 3.44.2. The flaw is in delete_module.php, where unsanitized POST inputs can flow into rendered HTML and form action attributes. Because the payload is executed in the browser when the response is rendered, an attacker with authentication and a way to induce a victim to load the crafted response could execute arbitrary JavaScript in that victim’s session. The supplied advisory and linked fix indicate the issue was addressed in v3.44.2. The practical takeaway is straightforward: upgrade to the fixed release, then review any similar request-handling code paths for unsafe output handling. This is a classic CWE-79 exposure with user interaction required, so the main risk is browser-side session impact rather than direct server compromise.
- Vendor
- Open ISES
- Product
- Tickets
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and operators of Open ISES Tickets, application security teams, and anyone responsible for patching or reviewing PHP web applications that accept authenticated POST input and render it back into HTML.
Technical summary
The vulnerability is a reflected XSS in delete_module.php. Multiple POST parameters, including module_choice, flag, and confirmation, are passed through without sufficient sanitization and then inserted into HTML content and form action attributes. The CVSS vector supplied with the record indicates network exploitation with low attack complexity, no privileges required in the vector, and user interaction required. The mapped weakness is CWE-79. A fix is referenced in the Open ISES Tickets v3.44.2 release and the associated commit.
Defensive priority
Medium. This is not a known wormable or pre-auth remote code execution issue, but it can still enable session abuse, phishing-like browser actions, or pivoting through authenticated admin workflows if a victim loads a crafted response.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Review the linked fixing commit to understand the input-handling changes and apply the same pattern to similar code paths.
- Audit other endpoints that reflect POST parameters into HTML or attribute contexts, especially PHP form handlers.
- Verify server-side output encoding and request validation for any user-controlled values rendered back to the browser.
- Confirm that authenticated users are not exposed to unnecessary high-privilege actions through crafted request/response flows.
Evidence notes
The CVE record and NVD entry both identify the issue as a reflected XSS in Open ISES Tickets before 3.44.2, with CWE-79 listed in the supplied source metadata. The referenced GitHub release tag v3.44.2 and the linked commit provide the strongest available fix evidence in the corpus. Timeline fields show the CVE was published and modified on 2026-05-21. Vendor metadata in the source is low-confidence/needs review, so the product name is taken from the vulnerability description and references rather than the vendor field.
Official resources
Publicly disclosed in the supplied source set on 2026-05-21, with the CVE published and modified the same day. The advisory attribution in the source metadata points to VulnCheck, and the fix is referenced in the Open ISES Tickets v3.44.2.