CVE-2026-48237 Open ISES CVE debrief

Who should care

Administrators and developers responsible for Open ISES Tickets deployments before 3.44.2 should treat this as important. Security teams should also care if the application is reachable by authenticated users who can submit ticket-related requests.

Technical summary

The issue is classified as CWE-89 (SQL Injection). According to the source corpus, message.php uses frm_ticket_id and frm_resp_id in SELECT/UPDATE WHERE clauses without sanitization, allowing query manipulation. The supplied record also lists CVSS 4.0 vector elements indicating network exposure, low attack complexity, and required privileges, with confidentiality impact high and integrity impact low.

Defensive priority

High. Remediate promptly by upgrading to the fixed release and reviewing any exposed authenticated workflows that interact with message.php or related ticket-handling code.

Recommended defensive actions

• Upgrade Open ISES Tickets to version 3.44.2 or later.
• Review the upstream fix in the referenced commit to understand the code path change.
• Audit message.php and related request handlers for parameterized queries and input validation.
• Check logs for unusual ticket-message requests that may indicate query manipulation attempts.
• Restrict authenticated access to the minimum necessary users until patching is complete.

Evidence notes

This debrief is based only on the supplied CVE record and referenced upstream materials. The CVE was published and last modified on 2026-05-21. The source corpus identifies the weakness as CWE-89 and links a fix to the openises/tickets 3.44.2 release and upstream commit. Vendor metadata in the supplied item is low-confidence and marked for review, so the product mapping here follows the reference corpus rather than the vendor field alone.

Official resources