PatchSiren cyber security CVE debrief
CVE-2026-48224 Open ISES CVE debrief
CVE-2026-48224 is a reflected cross-site scripting flaw in the Open ISES Tickets project’s ics214.php handler. The supplied corpus says unsanitized frm_add_str POST data can be copied into an HTML hidden input value attribute, allowing attacker-supplied JavaScript to execute when the response is rendered. The issue is tied to the v3.44.2 release and a corresponding GitHub fix commit, while the NVD record in the supplied metadata is marked Deferred.
- Vendor
- Open ISES
- Product
- Tickets
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and developers responsible for Open ISES Tickets deployments, especially anyone who maintains or exposes the ics214.php workflow to users. Security teams should also review similar form-handling pages for the same reflected XSS pattern.
Technical summary
The vulnerability is a CWE-79 reflected XSS in ics214.php. According to the supplied description, the application accepts the frm_add_str POST parameter and places it directly into an HTML hidden input value attribute without proper sanitization or context-aware output encoding. That allows crafted input to be reflected back in the response as executable script. The corpus links the remediation to Open ISES Tickets v3.44.2 and a specific GitHub commit.
Defensive priority
Medium. Patch promptly if you run affected Open ISES Tickets versions, because reflected XSS can execute in a user’s browser and expose session or workflow data even when the attacker only needs a crafted request and a rendered response.
Recommended defensive actions
- Upgrade Open ISES Tickets to v3.44.2 or later.
- Review the fix commit referenced in the corpus and confirm the vulnerable code path is no longer present in your deployed build.
- Audit ics214.php and similar handlers for unsanitized POST-to-HTML reflection, especially in hidden input value attributes.
- Apply context-aware output encoding and server-side validation for any user-controlled data rendered into HTML attributes.
- Re-test the application after upgrading to confirm the reflected payload no longer executes.
- Consider adding defense-in-depth controls such as a restrictive Content Security Policy where feasible.
Evidence notes
The supplied description identifies the bug as reflected XSS in ics214.php via the frm_add_str POST parameter. Supporting corpus items include a GitHub commit associated with the fix, the v3.44.2 release tag, and a Vulncheck advisory reference. The NVD source item in the corpus shows published/modified timestamps on 2026-05-21 and marks the vulnerability status as Deferred. The supplied vendor attribution is low-confidence and should be treated as needing review.
Official resources
Publicly disclosed on 2026-05-21 via the supplied Vulncheck reference, with the NVD record published and updated the same day.