PatchSiren cyber security CVE debrief
CVE-2026-48243 Open ISES CVE debrief
CVE-2026-48243 describes a hardcoded WhitePages reverse-phone API key embedded in wp1.php in Open ISES Tickets before version 3.44.2. Because the key was committed to the public source repository, anyone with read access to the source tree could extract it and use it to make third-party API calls that could be billed to, or rate-limited against, the original account. The issue was published on 2026-05-21 and later modified the same day in the CVE record.
- Vendor
- Open ISES
- Product
- Tickets
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Security and development teams responsible for Open ISES Tickets deployments, maintainers with repository access, and anyone who may have exposed WhitePages credentials in source control. Organizations that rely on the affected version should also care because the risk includes unauthorized third-party API usage and account impact.
Technical summary
The issue is a credential exposure problem rather than a memory-safety or code-execution flaw. NVD and the cited VulnCheck advisory describe a hardcoded WhitePages reverse-phone API key in wp1.php, committed to the public source repository for Open ISES Tickets before 3.44.2. That makes the key discoverable by anyone with source read access and enables unauthorized use of the WhitePages API under the original account. The supplied weakness mapping identifies CWE-798 (Use of Hard-coded Credentials).
Defensive priority
Medium. The flaw does not indicate direct system compromise, but exposed third-party credentials can create immediate billing, quota, and abuse risk and should be removed quickly.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Revoke or rotate the exposed WhitePages API key immediately.
- Review repository history and release artifacts for any additional hardcoded secrets.
- Replace embedded credentials with a secret-management approach or environment-based configuration.
- Check WhitePages account usage, rate limits, and billing activity for unauthorized API calls.
- Scan related code paths and commits for similar hardcoded credential patterns.
Evidence notes
The assessment is based on the supplied NVD record and the referenced VulnCheck advisory, plus the linked Open ISES Tickets commit and v3.44.2 release tag. The CVE record shows a publication timestamp of 2026-05-21T18:16:21.380Z and a modification timestamp of 2026-05-21T19:10:12.323Z. NVD lists the vulnerability status as Deferred and maps the issue to CWE-798. The supplied corpus does not include evidence of KEV listing or confirmed exploitation.
Official resources
Publicly recorded on 2026-05-21 in the CVE/NVD ecosystem; the supplied NVD snapshot marks the entry as Deferred and the referenced remediation is tied to Open ISES Tickets v3.44.2.