PatchSiren cyber security CVE debrief
CVE-2026-48221 Open ISES CVE debrief
CVE-2026-48221 describes a reflected cross-site scripting issue in Open ISES Tickets affecting ics205a.php before version 3.44.2. The problem centers on the frm_add_str POST parameter being passed into an HTML hidden input value attribute without proper sanitization, allowing attacker-supplied script content to be reflected into the page. Vulnerability references point to a fixing commit and the v3.44.2 release tag, indicating the issue is addressed in that version.
- Vendor
- Open ISES
- Product
- Tickets
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and developers running Open ISES Tickets deployments prior to 3.44.2 should treat this as a web application input-handling issue. Security teams should prioritize any environment where authenticated users can reach ics205a.php or where reflected content could be rendered to high-value users.
Technical summary
The source description identifies a reflected XSS path in ics205a.php via the frm_add_str POST parameter. Unsanitized input is inserted into an HTML hidden input value attribute, which can allow JavaScript injection when the response is rendered. The NVD record lists CWE-79 and marks the vulnerability status as Deferred. The supplied references include a commit in the openises/tickets repository and the v3.44.2 release tag, consistent with a fix being available in that release.
Defensive priority
Medium. Reflected XSS is often exploitable only when a victim renders a crafted response, but it can still enable session abuse, action theft, or internal-user targeting. Patch promptly if the application is Internet-facing or used by privileged operators.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Review ics205a.php and related handlers for unsafe reflection of POST parameters into HTML attributes.
- Apply server-side output encoding appropriate to the HTML attribute context.
- Add input validation for frm_add_str and any similar request parameters.
- Use a content security policy as a compensating control, while recognizing it does not replace fixing the sink.
- Test the affected flow with benign payloads to confirm the fix prevents attribute-context reflection.
- Retest any custom forks or downstream packages to ensure the upstream fix is present.
Evidence notes
The primary evidence in the supplied corpus is the NVD record and three references: a GitHub commit in openises/tickets, the v3.44.2 release tag, and a VulnCheck advisory URL. The description explicitly names the affected file, parameter, and vulnerability class. Vendor attribution is low confidence in the provided metadata, so the debrief treats Open ISES Tickets as the product name from the source description rather than asserting a separate vendor identity. The NVD record also shows vulnStatus: Deferred.
Official resources
According to the supplied timeline, the CVE was published on 2026-05-21 and modified later the same day. The source references indicate the issue was disclosed alongside a commit and the v3.44.2 release tag, which is the version identified.