CVE-2026-48233 Open ISES CVE debrief

Who should care

Administrators and security teams running Open ISES Tickets, especially environments where authenticated users can access ajax/sit_incidents.php or related incident listing functions. Database administrators and application owners should also care because SQL injection can affect query integrity and stored data.

Technical summary

The supplied description states that before Open ISES Tickets 3.44.2, the offset GET parameter in ajax/sit_incidents.php was concatenated directly into the LIMIT clause of a SELECT statement. That pattern enables SQL injection when attacker-controlled input influences query syntax. The provided CVSS vector indicates network reachability, low attack complexity, and required privileges, with high confidentiality impact and low integrity impact.

Defensive priority

High. SQL injection in an authenticated application path can expose or alter database contents, so upgrading and verifying exposure should be treated as a priority remediation task.

Recommended defensive actions

• Upgrade Open ISES Tickets to version 3.44.2 or later.
• Review access to ajax/sit_incidents.php and restrict it to the minimum necessary authenticated users.
• Inspect application and database logs for suspicious offset values, malformed requests, or unexpected SQL errors.
• Validate database integrity and review for unauthorized reads or changes if the vulnerable version was deployed.
• Confirm all instances and forks of the affected project are inventoried and patched consistently.

Evidence notes

The core facts come from the supplied CVE description and the referenced upstream materials: the vulncheck advisory, the upstream commit, and the v3.44.2 release tag. The NVD record is included in the source corpus and marks the vulnerability status as Deferred. The product/vendor attribution in the prompt is low-confidence, so the debrief avoids over-claiming beyond the supplied evidence.

Official resources