PatchSiren cyber security CVE debrief
CVE-2026-48219 Open ISES CVE debrief
CVE-2026-48219 covers a reflected cross-site scripting (XSS) issue in Open ISES Tickets before version 3.44.2. The vulnerable path is ics202.php, where an unsanitized value from the frm_add_str POST parameter is placed into an HTML hidden input value attribute. An authenticated attacker can supply a crafted request that causes browser-side JavaScript to execute when the response is rendered. NVD published the CVE on 2026-05-21 and later marked the record Deferred, with references pointing to the project commit, the 3.44.2 release, and the VulnCheck advisory.
- Vendor
- Open ISES
- Product
- Tickets
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and operators of Open ISES Tickets deployments, especially environments that allow authenticated users to reach the affected workflow in ics202.php. Security teams should also pay attention if the application is used in shared-admin or helpdesk contexts where a reflected XSS payload could be used to target other logged-in users.
Technical summary
The issue is a reflected XSS (CWE-79) in ics202.php before Open ISES Tickets 3.44.2. According to the supplied description, the frm_add_str POST parameter is not properly sanitized before being written into a hidden input value attribute. Because the payload is reflected into HTML, a malicious authenticated request can trigger JavaScript execution in the victim's browser when the response is rendered. The supplied CVSS vector indicates network attackability, low attack complexity, user interaction required, and no direct impact on confidentiality or integrity at the base level, with some scope-related impact reflected in the vector.
Defensive priority
Medium. The flaw is web-facing and can be used for browser-side compromise of authenticated users, but it requires authentication and user interaction. Prioritize patching if the affected application is exposed to multiple users or handles sensitive administrative actions.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Review ics202.php and any related request-to-HTML rendering paths for output encoding before placing user-controlled data into attributes.
- Validate that frm_add_str and similar parameters are both input-validated and contextually escaped on output.
- If immediate patching is not possible, restrict access to the affected authenticated workflow and monitor for unusual request patterns involving frm_add_str.
- Test the fix in a staging environment and confirm the response no longer reflects attacker-controlled JavaScript-capable input.
- Add regression coverage for reflected XSS cases involving hidden input attributes.
Evidence notes
The supplied source corpus states that Open ISES Tickets before 3.44.2 has a reflected XSS in ics202.php via the frm_add_str POST parameter. NVD lists the vulnerability as CVE-2026-48219 with CWE-79 and a CVSS 4.0 vector indicating network access, low attack complexity, user interaction required, and no direct CIA impact at the base level. NVD also references the project commit and the v3.44.2 release, which aligns with the reported fix version. The record's vulnStatus is Deferred in the supplied NVD metadata. Vendor attribution in the provided data is low-confidence, so product naming here is taken from the vulnerability description and linked references rather than from the vendor field.
Official resources
CVE-2026-48219 was published on 2026-05-21 and last modified the same day in the supplied record. The referenced fix is Open ISES Tickets 3.44.2, with supporting references to the project commit and advisory material in the supplied corpus.