PatchSiren cyber security CVE debrief
CVE-2026-48227 Open ISES CVE debrief
CVE-2026-48227 is a reflected cross-site scripting issue in Open ISES Tickets, published on 2026-05-21. The flaw affects patient.php in versions before 3.44.2 and can let an authenticated attacker supply crafted id and ticket_id values that are rendered back into an HTML form action URL without proper sanitization. When a victim loads the affected response, the injected JavaScript can execute in the browser.
- Vendor
- Open ISES
- Product
- Tickets
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Organizations running Open ISES Tickets before version 3.44.2 should care, especially administrators and support teams who expose patient.php to authenticated users. Security teams should also review any workflows where one user can send a crafted link or request to another user who then views the response.
Technical summary
The issue is a reflected XSS weakness (CWE-79) in patient.php. Per the provided description, unsanitized GET parameters named id and ticket_id are passed directly into an HTML form action URL, creating a browser-side script injection point. The supplied references point to a remediation commit and the 3.44.2 release, indicating the vulnerability was addressed there. The impact is limited to script execution in a victim's browser when the malformed response is rendered.
Defensive priority
Medium. The vulnerability is user-interaction dependent and tied to a specific application endpoint, but reflected XSS can still enable session theft, unauthorized actions in the browser context, or phishing-style abuse. Patch promptly if the product is deployed and verify exposure of patient.php to authenticated users.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Review patient.php and related request-handling code for direct insertion of GET parameters into HTML attributes or URLs.
- Apply output encoding and input validation for id and ticket_id before rendering them into the response.
- Inspect any custom templates, plugins, or local patches for the same pattern of unsanitized attribute injection.
- If immediate upgrading is not possible, restrict access to the affected interface and monitor for suspicious requests to patient.php.
Evidence notes
This debrief is based only on the supplied CVE record and linked references. The CVE description states the flaw is a reflected XSS in patient.php affecting Open ISES Tickets before 3.44.2. The NVD-linked source includes a remediation commit, the 3.44.2 release tag, and a VulnCheck advisory. Vendor attribution in the supplied metadata is low confidence and marked for review, so product naming is limited to the evidence present in the CVE description and references.
Official resources
Published on 2026-05-21. The supplied timeline shows the CVE was published and modified the same day, with source publication aligned to the CVE publication timestamp.