CVE-2026-48240 Open ISES CVE debrief

Who should care

Operators and maintainers of Open ISES Tickets, especially administrators of internet-facing deployments, application security teams, and anyone responsible for the backend database or custom integrations.

Technical summary

The issue is a CWE-89 SQL injection in ajax/statistics.php. Two POST parameters, tick_id and f_tick_id, are directly concatenated into WHERE clauses used by statistics rollup SELECT statements. Because the inputs are not sanitized or parameterized, an authenticated attacker can alter query semantics. The described impact includes unauthorized database reads and the possibility of data modification or destruction. The vulnerability is fixed in v3.44.2.

Defensive priority

High. The attack requires authentication but can affect the confidentiality and integrity of the application database.

Recommended defensive actions

• Upgrade Open ISES Tickets to version 3.44.2 or later.
• Verify that all deployed instances and any bundled images or containers have the patched code path.
• Review application and database logs for unusual statistics-rollup queries or unexpected POST values targeting ajax/statistics.php.
• If compromise is suspected, assess database integrity and rotate any credentials or secrets that may have been exposed.
• Confirm the application database account uses least-privilege access and cannot perform unnecessary destructive actions.

Evidence notes

The CVE description states the vulnerable parameters and impact directly. The linked Git commit and the v3.44.2 release provide patch corroboration, while the NVD record cites VulnCheck as the disclosure source. The NVD item in the supplied corpus is marked vulnStatus Deferred, so the official database detail may lag the disclosure.

Official resources