PatchSiren cyber security CVE debrief
CVE-2026-48238 Open ISES CVE debrief
CVE-2026-48238 affects Open ISES Tickets before version 3.44.2. The issue is a SQL injection in ajax/mobile_main.php where the id GET parameter is concatenated into a SELECT WHERE clause used as a ticket-existence sanity check without sanitization. Because the request must be authenticated, the barrier to entry is lower than for a public unauthenticated flaw, and successful exploitation could let an attacker read, alter, or destroy database contents. The CVE was published on 2026-05-21 and references a fixing commit plus the 3.44.2 release.
- Vendor
- Open ISES
- Product
- Tickets
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators running Open ISES Tickets instances before 3.44.2, application security teams, database administrators, and incident responders should prioritize this issue. Any environment that exposes authenticated ticket workflows over the network should treat it as urgent until patched and validated.
Technical summary
The vulnerable code path is ajax/mobile_main.php. According to the supplied description, the id GET parameter is directly concatenated into a WHERE clause in a SELECT statement that performs a ticket-existence sanity check. That pattern creates CWE-89 SQL injection exposure when user input is not parameterized or otherwise safely validated. The supplied CVSS vector indicates network reachability, low attack complexity, low privileges, no user interaction, and potential high confidentiality impact with some integrity impact.
Defensive priority
High. The flaw is remotely reachable by authenticated users and can affect database confidentiality and integrity. Patch urgency is elevated because the vulnerability sits in a request-processing path and the described impact includes database modification or destruction, not just data disclosure.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later immediately.
- Verify that the fixing commit referenced in the advisory is present in your deployed codebase.
- Review authentication logs and application logs for unusual requests to ajax/mobile_main.php, especially unexpected id values.
- Assume the database may have been exposed if the vulnerable version was reachable by untrusted authenticated users; investigate for unauthorized reads or changes.
- Review the affected code path for parameterized queries and add server-side input validation where appropriate.
- If compromise is suspected, rotate application and database credentials and validate backups before restoration.
Evidence notes
The supplied source material identifies the flaw as SQL injection in ajax/mobile_main.php involving the id GET parameter, lists CWE-89, and points to a fixing commit and the v3.44.2 release. The NVD record was published and modified on 2026-05-21, and its reference set matches the advisory links provided. The vendor attribution in the supplied data is low confidence, so the debrief uses the product name from the advisory context without expanding vendor claims beyond the corpus.
Official resources
Publicly disclosed via VulnCheck advisory and reflected in the NVD record on 2026-05-21; the supplied references include the fixing commit and the 3.44.2 release tag.