PatchSiren cyber security CVE debrief

CVE-2026-48222 Open ISES CVE debrief

CVE-2026-48222 is a reflected cross-site scripting issue in Open ISES Tickets before version 3.44.2. An authenticated attacker can place unsanitized input from the frm_add_str POST parameter into a hidden HTML input value in ics213.php, causing arbitrary JavaScript to execute when the page is rendered in a victim's browser. The reported CVSS severity is medium, and the flaw is categorized as CWE-79.

Vendor: Open ISES
Product: Tickets
CVSS: MEDIUM 5.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-21
Original CVE updated: 2026-05-21
Advisory published: 2026-05-21
Advisory updated: 2026-05-21

Who should care

Administrators and developers running Open ISES Tickets deployments prior to 3.44.2 should prioritize this issue, especially if authenticated users can reach ics213.php or related ticket workflows. Security teams should also care because reflected XSS can affect user sessions and browser-side trust even when exploitation requires authentication and user interaction.

Technical summary

The vulnerable path is ics213.php, where the frm_add_str POST parameter is passed into an HTML form hidden input value attribute without proper output encoding. Because the payload is reflected into the response, an attacker can supply JavaScript-containing input that executes in the browser of a user who loads the crafted response. The CVSS vector supplied by the source indicates network attackability with required user interaction.

Defensive priority

Medium. The issue is exploitable remotely but requires authentication and user interaction, and it is addressed by the vendor release labeled 3.44.2. For most environments, upgrading to 3.44.2 or later should be the first remediation step.

Recommended defensive actions

Upgrade Open ISES Tickets to version 3.44.2 or later.
Review ics213.php and any related form rendering code for proper HTML output encoding.
Validate that POST parameters are never written into HTML attributes without context-aware escaping.
Add server-side input handling and output encoding checks to prevent reflected XSS regressions.
Re-test the affected workflow after upgrading to confirm the reflected input is no longer executed in the browser.

Evidence notes

The vulnerability description, affected version boundary, weakness class, and fix reference are supported by the supplied NVD record and the referenced VulnCheck disclosure material. The source set includes a commit reference and a 3.44.2 release tag, which align with the stated remediation. NVD lists the record with vulnStatus set to Deferred, and the vendor metadata in the source set is low-confidence, so product identification should be treated as supported by the disclosure references rather than vendor attribution alone.

Official resources

The issue was disclosed through VulnCheck and reflected in NVD on 2026-05-21, with the CVE record and source metadata updated the same day.