PatchSiren cyber security CVE debrief
CVE-2026-48231 Open ISES CVE debrief
CVE-2026-48231 is an authenticated SQL injection vulnerability in Open ISES Tickets versions before 3.44.2. The issue is described in tables.php, where the POST parameters tablename, indexname, and sortby are concatenated into dynamic SELECT, UPDATE, and DELETE statements without sanitization. That can allow a crafted request to change query behavior and potentially read, modify, or destroy database contents. A fix is referenced in the v3.44.2 release and the associated commit.
- Vendor
- Open ISES
- Product
- Tickets
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and maintainers of Open ISES Tickets deployments, especially anyone responsible for instances that allow authenticated users to reach tables.php-backed database functions. Security teams should prioritize any environment where ticketing data or adjacent application data is sensitive.
Technical summary
The supplied advisory states that tables.php builds SQL dynamically from multiple POST parameters used as table or column identifiers. Because tablename, indexname, and sortby are not sanitized before being inserted into queries, an authenticated attacker can influence SQL semantics. The vulnerability is categorized as CWE-89 and the provided CVSS vector indicates network access with low attack complexity and low privileges required, with high confidentiality impact and low integrity impact.
Defensive priority
High. Apply the vendor fix promptly, since the flaw can expose or alter database contents and requires only authenticated access. Treat exposed or widely used ticketing systems as time-sensitive patch candidates.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Review any authenticated paths that reach tables.php and restrict access to only necessary roles.
- Audit logs for suspicious request patterns involving tablename, indexname, or sortby parameters.
- Validate that server-side query construction does not concatenate user-controlled identifiers without strict allowlisting.
- After patching, verify that the fixed release and referenced commit are present in the deployed build.
Evidence notes
This debrief is based only on the supplied CVE record and referenced disclosure materials. The record identifies Open ISES Tickets before 3.44.2, notes a SQL injection in tables.php, and links to the fixing commit ecfeb406a016766cae81c749e14b5145a9f2dbff, the v3.44.2 release tag, and the VulnCheck advisory. The provided source metadata also shows NVD vulnStatus as Deferred and classifies the weakness as CWE-89.
Official resources
Published in the supplied CVE record on 2026-05-21 18:16:19.790Z, with a later record modification at 2026-05-21 19:10:12.323Z. The provided disclosure references VulnCheck, the fixing commit, and the v3.44.2 release.