PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48241 Open ISES CVE debrief

CVE-2026-48241 is a critical credential-exposure issue in Open ISES Tickets versions before 3.44.2. The affected loader.php file contains hardcoded MySQL database credentials committed to the source repository. If an attacker can read the public source tree or access the file on a deployed system, they may recover the database username, password, and database name and attempt to connect to the database if it is reachable from their network. The upstream fix is associated with the 3.44.2 release.

Vendor
Open ISES
Product
Tickets
CVSS
CRITICAL 9.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-21
Original CVE updated
2026-05-21
Advisory published
2026-05-21
Advisory updated
2026-05-21

Who should care

Administrators, developers, and operators of Open ISES Tickets deployments before 3.44.2 should treat this as urgent. It also matters to anyone who mirrors, packages, or deploys the public source tree, and to teams responsible for the reachable MySQL database behind the application.

Technical summary

The vulnerability is a hardcoded-secrets flaw (CWE-798) in loader.php. The source-corpus description states that MySQL credentials were committed in the repository and are readable by any actor with access to the public source tree or a deployed file. Because the exposed values include the database username, password, and database name, the issue can lead to unauthorized database access when network reachability exists. The provided CVSS vector reflects network attackability with no privileges or user interaction required, but with high attack complexity due to the need for accessible source or file exposure and reachable database conditions.

Defensive priority

Urgent. This is a critical credential exposure that can directly compromise database confidentiality and integrity. Remediation should be prioritized alongside credential rotation, because code fixes alone do not invalidate already exposed secrets.

Recommended defensive actions

  • Upgrade Open ISES Tickets to version 3.44.2 or later.
  • Rotate the exposed MySQL credentials immediately and confirm the old credentials no longer work.
  • Restrict network access to the MySQL service so it is not reachable from untrusted networks.
  • Search the repository and deployed artifacts for any other hardcoded secrets or copied credential files.
  • Review access to loader.php and confirm it is not exposed in a way that reveals secrets to unauthenticated users.
  • Validate that any systems using the exposed database account are monitored for suspicious connections or query activity.

Evidence notes

Supported by the upstream fix reference in commit ecfeb406a016766cae81c749e14b5145a9f2dbff and the v3.44.2 release tag. The VulnCheck advisory URL is listed in the source corpus, and NVD records the CVE with CWE-798 and a CVSS 4.0 vector indicating critical impact. NVD currently lists the vulnerability status as Deferred in the supplied record.

Official resources

The supplied corpus attributes disclosure to VulnCheck and ties the issue to an upstream fix commit and the Open ISES Tickets v3.44.2 release. The CVE was published on 2026-05-21.