PatchSiren cyber security CVE debrief
CVE-2026-48225 Open ISES CVE debrief
CVE-2026-48225 is a reflected cross-site scripting issue in Open ISES Tickets versions before 3.44.2. The affected landb.php path passes an unsanitized _type POST parameter into an HTML hidden input value attribute, which can let an authenticated attacker inject JavaScript that executes in another user’s browser when the response is rendered. The issue was publicly recorded on 2026-05-21, with the fix referenced in the v3.44.2 release and the related commit.
- Vendor
- Open ISES
- Product
- Tickets
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators, maintainers, and developers responsible for Open ISES Tickets deployments, especially environments that allow authenticated users to reach the affected landb.php workflow. Security teams should also care if the application is internet-facing or if privileged users routinely handle ticket workflows in the browser.
Technical summary
The vulnerability is a reflected XSS flaw classified as CWE-79. According to the supplied record, landb.php copies the _type POST parameter into an HTML form hidden input value attribute without proper sanitization or output encoding. Because the issue is reflected in the server response, a crafted request can cause browser-side script execution in the context of a victim’s session when the page is rendered. The affected software is identified as Open ISES Tickets before version 3.44.2, and the referenced fix is associated with the 3.44.2 release.
Defensive priority
Medium. This is an authenticated, user-interaction-dependent web XSS issue with potential session and browser-side impact, so patching should be prioritized for any exposed or widely used deployment.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Verify that any custom forks or backported builds include the landb.php fix.
- Review server-side handling of the _type parameter and ensure output encoding is applied before placing data into HTML attributes.
- Check access logs and application logs for suspicious requests targeting landb.php or unusual _type values.
- If the application is used by privileged staff, review browser session exposure and consider refreshing credentials or sessions as a precaution after remediation.
- Run a web application security scan or code review focused on reflected input handling in the affected workflow.
Evidence notes
The supplied NVD record states the vulnerability is published on 2026-05-21 and lists CWE-79, with a Vulncheck-sourced advisory referencing the fix commit ecfeb406a016766cae81c749e14b5145a9f2dbff and the v3.44.2 release tag. The record also classifies the vulnerability as deferred in NVD at the time of modification, but the fix references indicate the issue was addressed in the 3.44.2 release path.
Official resources
Publicly disclosed on 2026-05-21. The supplied record ties the remediation to the Open ISES Tickets v3.44.2 release and the associated commit reference.