PatchSiren cyber security CVE debrief
CVE-2026-48230 Open ISES CVE debrief
CVE-2026-48230 describes a reflected cross-site scripting issue in Open ISES Tickets affecting ticketsmdb_import.php before version 3.44.2. According to the supplied vulnerability description, authenticated attackers could pass unsanitized POST values into HTML hidden input attributes and cause JavaScript to execute in a victim’s browser when the response is rendered. The available references point to an upstream commit and the v3.44.2 release as the apparent fix path.
- Vendor
- Open ISES
- Product
- Tickets
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Organizations running Open ISES Tickets instances, especially any deployment still on a version earlier than 3.44.2. Security teams should also care if the application is exposed to authenticated users who can reach the ticketsmdb_import.php workflow.
Technical summary
The issue is a reflected XSS flaw (CWE-79) in ticketsmdb_import.php. The source description states that multiple POST parameters—mdbhost, mdbdb, mdbuser, mdbpassword, mdbprefix, ticketshost, ticketsdb, ticketsuser, ticketspassword, and ticketsprefix—were not sanitized before being inserted into HTML form hidden input value attributes. Because the payload is reflected into the response, a crafted request can lead to script execution in the browser of a user who views the generated page. The NVD record also lists the vulnerability status as Deferred and cites a CVSS v4.0 vector indicating network attack, low complexity, and user interaction required.
Defensive priority
Medium priority. Reflected XSS typically requires a user to render attacker-influenced content, but it can still enable session abuse, UI redress, and further compromise in authenticated application flows. Patch promptly if you operate affected versions.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Review any custom integrations or front-end code that renders or forwards the affected POST parameters.
- Verify that server-side output encoding is applied before inserting request data into HTML attributes.
- Restrict access to the affected workflow to trusted users where possible until patched.
- Add or strengthen web application firewall and browser-side defenses such as Content Security Policy as compensating controls.
- Check application logs for unusual requests to ticketsmdb_import.php and investigate suspicious parameter values.
Evidence notes
The supplied record states that the issue affects Open ISES Tickets before 3.44.2 and that unsanitized POST values are reflected into hidden input value attributes in ticketsmdb_import.php. The reference set includes an upstream Git commit, the v3.44.2 release tag, and a VulnCheck advisory page. NVD metadata lists the weakness as CWE-79 and marks the vulnerability status as Deferred.
Official resources
Publicly disclosed on 2026-05-21 in the supplied NVD record and associated references. The record cites a third-party advisory, an upstream fix commit, and the v3.44.2 release tag. NVD marks the vulnerability status as Deferred in the data,