CVE-2026-48229 Open ISES CVE debrief

Who should care

Administrators and operators of Open ISES Tickets instances running versions earlier than 3.44.2 should prioritize this issue, along with application security teams and anyone responsible for the ticket workflow UI and server-side input handling.

Technical summary

The vulnerable code path is routes_i.php. According to the supplied description, the application reflects the ticket_id query parameter into a hidden input value without proper output encoding or sanitization. That creates a reflected XSS condition in a browser-rendered page. The provided references point to a fixing Git commit and the v3.44.2 release tag, which together indicate the patched version line.

Defensive priority

Medium. Apply the vendor fix promptly if you run an affected version, because this is a browser-executed XSS issue in a web application path, even though it is not listed as a KEV item.

Recommended defensive actions

• Upgrade Open ISES Tickets to version 3.44.2 or later.
• Confirm that the deployed build includes the fix referenced by the linked Git commit and release tag.
• Review routes_i.php and adjacent rendering paths for proper HTML attribute escaping of all reflected request parameters.
• Temporarily restrict access to the affected ticket interface if you cannot patch immediately.
• Monitor for unusual requests containing crafted ticket_id values and review application logs for suspicious browser-side behavior.

Evidence notes

The supplied NVD source item shows CVE-2026-48229 with a last-modified timestamp of 2026-05-21 and a vulnStatus of 'Deferred'. The referenced materials include a GitHub commit, the v3.44.2 release tag, and a Vulncheck advisory titled around reflected XSS via routes_i.php and the ticket_id parameter. The supplied vulnerability description identifies CWE-79 and states the issue affects Open ISES Tickets before 3.44.2.

Official resources