PatchSiren cyber security CVE debrief
CVE-2026-48228 Open ISES CVE debrief
CVE-2026-48228 is a reflected cross-site scripting issue affecting Open ISES Tickets before version 3.44.2. The flaw is in patient_w.php, where unsanitized values from the id and ticket_id GET parameters are passed directly into an HTML form action URL. Because the response can echo attacker-controlled input into a browser-rendered page, an authenticated attacker can trigger script execution in a victim session by sending a crafted link or request. The CVSS score is 5.1 (Medium), and the vulnerability is categorized as CWE-79.
- Vendor
- Open ISES
- Product
- Tickets
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and security teams running Open ISES Tickets deployments prior to 3.44.2, especially where authenticated users can be targeted with crafted links or internal web requests. Application defenders responsible for session protection, output encoding, and upgrade management should prioritize this issue.
Technical summary
The issue is a reflected XSS in patient_w.php caused by insufficient sanitization of the id and ticket_id GET parameters before they are inserted into an HTML form action URL. The attack requires user interaction and authenticated access, which matches the CVSS vector and keeps the severity in the medium range. The vendor-provided advisory and upstream release indicate the issue was addressed in version 3.44.2, with a corresponding commit in the openises/tickets repository.
Defensive priority
Medium. The issue is exploitable in the browser and can be used to run arbitrary JavaScript in a targeted authenticated session, but it requires user interaction and does not indicate direct server compromise. Prioritize patching if the application is internet-facing or used by high-trust operators.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Review and validate the upstream fix in the referenced commit to confirm the vulnerable parameter handling is removed.
- Treat links or requests containing id and ticket_id parameters as suspicious until all instances are patched.
- Apply server-side output encoding and input validation for any remaining dynamic HTML generation in patient_w.php and related routes.
- Use a restrictive Content Security Policy to reduce the impact of any future client-side injection issues.
- Audit authentication-protected workflows for similar reflected output patterns and remediate consistently.
Evidence notes
The supplied source corpus identifies Open ISES Tickets before 3.44.2 as affected and cites a reflected XSS in patient_w.php involving unsanitized id and ticket_id parameters. The record references an upstream fix commit and the v3.44.2 release tag on GitHub, plus a VulnCheck advisory page. NVD metadata in the supplied corpus marks the CVE status as Deferred, and the weakness mapping provided by the disclosure is CWE-79. Vendor attribution in the input is low confidence and should be treated as tentative.
Official resources
Publicly disclosed on 2026-05-21 in the supplied CVE/NVD material, with references to a VulnCheck advisory, an upstream GitHub commit, and the v3.44.2 release that contains the fix.