PatchSiren cyber security CVE debrief
CVE-2026-48232 Open ISES CVE debrief
CVE-2026-48232 is a high-severity SQL injection in Open ISES Tickets before version 3.44.2. The issue is in ajax/fullsit_incidents.php, where the offset GET parameter is concatenated into a SQL LIMIT clause without sanitization. Because the application trusts attacker-controlled input in query construction, an authenticated attacker may alter database query behavior and potentially read, modify, or destroy data. The CVE was published on 2026-05-21.
- Vendor
- Open ISES
- Product
- Tickets
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and developers running Open ISES Tickets deployments, especially environments that expose authenticated ticketing functions to end users or staff accounts. Security teams should prioritize any instance still on a version earlier than 3.44.2.
Technical summary
According to the supplied description, the vulnerable code path is ajax/fullsit_incidents.php. The offset GET parameter is inserted directly into the LIMIT portion of a SELECT statement without sanitization or parameterization, creating a classic SQL injection condition (CWE-89). The attack requires authentication, but the impact can still be broad because the injected input can change database query semantics. The supplied CVSS is 7.1 (High), and NVD lists the record as Deferred at the time of the source snapshot.
Defensive priority
High. This is an authenticated SQL injection with direct database impact and an available fixed release reference (v3.44.2) in the supplied corpus. Upgrade or remediate promptly, then verify that no older vulnerable versions remain deployed.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Review ajax/fullsit_incidents.php and any similar query-building code for unsanitized request parameters.
- Replace string concatenation in SQL with parameterized queries or equivalent safe query builders.
- Restrict and monitor authenticated access to ticketing functions that reach the affected endpoint.
- Check application and database logs for unusual query patterns or unexpected errors around the affected endpoint.
- After patching, perform a targeted validation that the offset parameter is treated as a bounded numeric value and cannot alter SQL syntax.
Evidence notes
The debrief is based only on the supplied CVE description, NVD source item, and referenced upstream links. The description states the vulnerability is in ajax/fullsit_incidents.php and that the offset GET parameter is concatenated into a LIMIT clause unsafely. The provided references include the upstream commit, the v3.44.2 release tag, and the VulnCheck advisory URL. NVD metadata in the supplied source item shows vulnStatus Deferred and lists CWE-89. The CVE publication timestamp used here is 2026-05-21T18:16:19.927Z.
Official resources
Publicly disclosed on 2026-05-21 in the supplied source corpus. The referenced remediation point is Open ISES Tickets v3.44.2.