PatchSiren cyber security CVE debrief
CVE-2026-48246 Open ISES CVE debrief
CVE-2026-48246 affects Open ISES Tickets before version 3.44.2. During incident report generation, ajax/reports.php makes outbound HTTPS requests for Google Maps Directions API lookups with TLS certificate verification disabled, which can let an attacker on the network path intercept or alter traffic. The issue is rated HIGH and is addressed in v3.44.2.
- Vendor
- Open ISES
- Product
- Tickets
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and developers responsible for Open ISES Tickets deployments, especially systems that generate incident reports and make outbound HTTPS requests from the application server. Security teams should care because the weakness can undermine the confidentiality and integrity of data in transit.
Technical summary
The vulnerability is a TLS verification failure (CWE-295). According to the supplied description, ajax/reports.php sets CURLOPT_SSL_VERIFYPEER to false and does not set CURLOPT_SSL_VERIFYHOST when issuing outbound HTTPS requests for Google Maps Directions API lookups. That means the application does not properly validate the remote certificate or host identity, creating a man-in-the-middle opportunity on the server-to-service connection. The risk is limited to workflows that trigger the report-generation lookup, but the impact can include interception or modification of request and response data in transit.
Defensive priority
High. Apply the fixed release promptly if you run affected Open ISES Tickets versions, because the flaw weakens HTTPS trust during server-side outbound requests and can expose sensitive data on the wire.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Review any server-side outbound HTTPS integrations in ajax/reports.php and confirm certificate and host verification are enabled.
- Validate that CURLOPT_SSL_VERIFYPEER is not disabled and CURLOPT_SSL_VERIFYHOST is set appropriately in any custom patches or forks.
- Monitor incident-report generation traffic for unexpected proxying, certificate anomalies, or outbound connection failures after remediation.
- If incident reports rely on external APIs, confirm API credentials and other sensitive values are not exposed in logs or diagnostic traces.
Evidence notes
The issue description provided with the CVE states that Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php during Google Maps Directions API lookups. The supplied reference set includes a Git commit that appears to fix the issue, a v3.44.2 release tag, and a VulnCheck advisory. The NVD metadata in the supplied corpus lists the vulnerability status as Deferred and maps the weakness to CWE-295. No KEV entry was provided in the supplied timeline.
Official resources
Disclosed on 2026-05-21 in the supplied source corpus, with the CVE published the same day and no KEV entry provided. The cited fix is associated with Open ISES Tickets v3.44.2.