PatchSiren cyber security CVE debrief
CVE-2026-48220 Open ISES CVE debrief
CVE-2026-48220 describes a reflected cross-site scripting issue in Open ISES Tickets versions before 3.44.2. The vulnerable path is ics205.php, where the frm_add_str POST parameter is passed into an HTML hidden input value without sanitization. In practice, an authenticated attacker can submit a crafted request that causes arbitrary JavaScript to execute when the response is rendered in a victim’s browser. The issue is rated medium severity and maps to CWE-79.
- Vendor
- Open ISES
- Product
- Tickets
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Organizations running Open ISES Tickets versions earlier than 3.44.2 should prioritize review, especially environments where authenticated users with different privilege levels share the application. Security teams should pay attention if the application is used for incident handling or by operators with access to sensitive browser sessions, because reflected XSS can affect the user who renders the response.
Technical summary
The source description identifies a reflected XSS flaw in ics205.php. The frm_add_str POST parameter is inserted directly into an HTML form hidden input value attribute without proper output encoding or sanitization. Because the payload is reflected in the server response, a malicious authenticated user can cause script execution in another user’s browser when that response is loaded. The source references indicate the project fixed the issue in release v3.44.2.
Defensive priority
Medium. The vulnerability requires authentication and user interaction to trigger, but browser-side script execution can still expose sessions, actions, or data in the affected web application context. Patch priority is elevated for deployments with privileged users or sensitive operational workflows.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Verify whether any systems are still running pre-3.44.2 builds of the project.
- Review the ics205.php handling of frm_add_str for proper output encoding and input handling.
- If suspicious activity is suspected, review application and web access logs for unusual POST activity involving the affected endpoint.
- Consider session hygiene measures for affected users, such as reauthentication after remediation, if there is evidence of abuse.
Evidence notes
The debrief is based on the supplied CVE description and the cited source references. The NVD record lists the vulnerability as deferred at the time of the supplied snapshot and includes references to a fixing commit, release v3.44.2, and a VulnCheck advisory. No exploit steps or unsupported impact claims are included here.
Official resources
The CVE and source snapshot were published on 2026-05-21. Use that date for disclosure timing context; do not infer an earlier issue date from the analysis or publication workflow.