PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48234 Open ISES CVE debrief

CVE-2026-48234 describes an authenticated SQL injection in Open ISES Tickets before version 3.44.2. The vulnerable code path concatenates the sort and dir GET parameters into an ORDER BY clause without sanitization, which can let an attacker alter query behavior. The stated impact includes unauthorized reading, modification, or destruction of database contents. The supplied CVSS 4.0 vector indicates network reachability, low privileges, and high confidentiality impact, with the overall severity rated HIGH.

Vendor
Open ISES
Product
Tickets
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-21
Original CVE updated
2026-05-21
Advisory published
2026-05-21
Advisory updated
2026-05-21

Who should care

Administrators and developers running Open ISES Tickets instances, especially those still on versions earlier than 3.44.2. Security teams should also review any environment where authenticated users can reach the affected portal endpoint.

Technical summary

The issue is an SQL injection in portal/ajax/list_requests.php. According to the supplied description, the sort and dir GET parameters are inserted into an ORDER BY clause of a SELECT statement without sanitization. Because the attacker is authenticated, the precondition is lower than a public unauthenticated bug, but the impact remains serious: query manipulation may expose, alter, or damage database records. The source material also references an upstream fix commit and a v3.44.2 release tag, which are the strongest indicators of remediation availability.

Defensive priority

High. This is a reachable authenticated database injection with direct data-confidentiality and data-integrity risk, and a fix version is available.

Recommended defensive actions

  • Upgrade Open ISES Tickets to version 3.44.2 or later.
  • Confirm the fix commit referenced in the advisory is present in the deployed codebase.
  • Review access to portal/ajax/list_requests.php and ensure only intended authenticated users can reach it.
  • Inspect application and database logs for unusual sorting parameters, query errors, or unexpected data access patterns.
  • Validate database account privileges so the application uses the least privilege required.
  • If suspicious activity is found, assess for data exposure or tampering and rotate credentials as appropriate.

Evidence notes

The supplied CVE record states the vulnerable path and impact, and the reference set includes an upstream Git commit and the v3.44.2 release tag, which support the claimed fix boundary. NVD marks the record as Deferred in the provided metadata, so the source references are especially important for validation. The vendor field in the supplied data is low-confidence and should be treated cautiously.

Official resources

Published by the CVE source on 2026-05-21T18:16:20.180Z and modified on 2026-05-21T19:10:12.323Z. No KEV entry was supplied for this CVE.