PatchSiren cyber security CVE debrief
CVE-2026-48218 Open ISES CVE debrief
CVE-2026-48218 was published on 2026-05-21 and describes a reflected cross-site scripting issue in Open ISES Tickets before version 3.44.2. The vulnerable path is icons/buttons/landb.php, where unsanitized frm_name and frm_id POST parameters are reflected into rendered HTML and inline JavaScript. The supplied sources indicate a fix is associated with the 3.44.2 release and a related code commit. NVD marked the record as Deferred at the time of the supplied update.
- Vendor
- Open ISES
- Product
- Tickets
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and maintainers of Open ISES Tickets installations, especially environments that expose authenticated web users to the application. Security teams should also care if the product is embedded in larger ticketing or service workflows, since reflected XSS can affect user sessions and browser-side trust boundaries.
Technical summary
The issue is a reflected XSS vulnerability (CWE-79) in icons/buttons/landb.php. According to the supplied description, the application passes unsanitized frm_name and frm_id POST values into HTML content and inline JavaScript, allowing arbitrary script execution in the victim’s browser when the response is rendered. The supplied CVSS 4.0 vector rates the issue as network-reachable with user interaction required, and the severity is medium (5.1).
Defensive priority
Medium overall, but patch quickly if your instance is internet-facing or widely used by authenticated users. Because the flaw is in a browser-executed response path, exposure can affect user sessions and administrative actions.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Verify that the 3.44.2 change set is deployed everywhere the application runs, including staging, replicas, and container images.
- Review server-side output encoding and request handling in icons/buttons/landb.php for any similar reflection issues.
- Restrict access to the application to trusted users where feasible and use least-privilege roles for authenticated accounts.
- Monitor for unusual browser-side behavior or unexpected parameter values hitting the affected endpoint until patching is complete.
Evidence notes
This debrief is based only on the supplied NVD record and its referenced materials. The source item lists NVD publication and modification timestamps of 2026-05-21T18:16:18.110Z and 2026-05-21T19:10:12.323Z, respectively, and marks the vulnerability status as Deferred. The references include a GitHub commit, the Open ISES Tickets v3.44.2 release tag, and the VulnCheck advisory describing the reflected XSS. The vendor field in the supplied corpus is unresolved/low-confidence, so product attribution is treated cautiously.
Official resources
Publicly disclosed in the VulnCheck advisory referenced by NVD on 2026-05-21. The supplied record shows the CVE was published and last modified on the same date.