PatchSiren cyber security CVE debrief
CVE-2026-48223 Open ISES CVE debrief
CVE-2026-48223 is a reflected cross-site scripting issue in Open ISES Tickets affecting versions before 3.44.2. The flaw is tied to ics213rr.php, where an unsanitized frm_add_str POST parameter is placed directly into a hidden input value attribute, enabling JavaScript execution in a victim’s browser when the crafted response is rendered. The vulnerability was published on 2026-05-21 and NVD later listed the entry as Deferred. Although the CVSS score is in the medium range, the issue still matters because it can be used against authenticated users and can expose session or workflow data in the browser context.
- Vendor
- Open ISES
- Product
- Tickets
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and maintainers of Open ISES Tickets deployments, especially anyone running a version earlier than 3.44.2. Security teams should also pay attention if authenticated users can reach ics213rr.php workflows, since the attack requires a victim to render a maliciously crafted response.
Technical summary
The issue is a reflected XSS vulnerability in ics213rr.php. According to the supplied description and NVD metadata, the application takes the frm_add_str POST parameter and inserts it into an HTML hidden input value attribute without adequate sanitization or encoding. Because the browser interprets the resulting markup in the victim’s session, attacker-supplied JavaScript can execute when the response is rendered. The weakness is classified as CWE-79.
Defensive priority
Medium priority. The CVSS score is 5.1 (MEDIUM), and the attack requires user interaction, but the impact can still include browser-side compromise of authenticated users. Prioritize patching to 3.44.2 if you run affected versions, then verify there are no other similar output-encoding gaps in related request handlers.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Confirm no production systems remain on versions earlier than 3.44.2.
- Review ics213rr.php and related handlers for unsanitized values written into HTML attributes.
- Apply context-appropriate output encoding for all request-derived data before rendering it into HTML.
- Consider adding a restrictive Content Security Policy to reduce the impact of any remaining XSS issues.
- Audit authenticated workflows that can render attacker-influenced content and monitor for unusual browser-side behavior or account actions.
Evidence notes
The source corpus states that the issue affects Open ISES Tickets before 3.44.2 and that the vulnerable sink is ics213rr.php with the frm_add_str POST parameter. The NVD record published on 2026-05-21 and last modified the same day lists the weakness as CWE-79 and includes a CVSS v4 vector consistent with network-reachable, user-interaction-required XSS. The corpus also includes a fix commit and the v3.44.2 release tag as supporting evidence that the issue was remediated in that release. NVD vulnStatus is Deferred in the supplied record, so the debrief avoids claiming additional NVD validation beyond what is provided.
Official resources
Publicly disclosed on 2026-05-21 in the supplied source corpus and recorded by NVD the same day. The NVD entry is marked Deferred in the provided metadata.