CVE-2026-35007 openises CVE debrief

Who should care

Administrators and operators running Open ISES Tickets versions earlier than 3.44.2 should treat this as relevant, especially if authenticated users can share or open application links. Security teams responsible for web application hardening and input/output encoding should also review affected deployments.

Technical summary

The issue is a reflected XSS vulnerability classified as CWE-79. In single_unit.php, the id parameter from the query string is not sanitized before being placed into an HTML attribute context. Because the payload is reflected in the response, an attacker with authentication can lure a victim into visiting a crafted URL that causes attacker-controlled JavaScript to run in the victim’s browser. The supplied source references point to a fixing commit and the v3.44.2 release tag.

Defensive priority

Medium

Recommended defensive actions

• Upgrade Open ISES Tickets to version 3.44.2 or later.
• Review single_unit.php and any related request handlers for proper output encoding in HTML attribute context.
• Validate and constrain the id parameter server-side before use.
• Audit authenticated workflows that accept or display user-influenced URLs to reduce phishing-style XSS delivery paths.
• Check application logging and security monitoring for suspicious links targeting single_unit.php.
• Confirm the product attribution and affected version range against the vendor release and advisory references.

Evidence notes

The supplied corpus ties this CVE to Open ISES Tickets and cites three references: a GitHub commit that appears to fix the issue, the v3.44.2 release tag, and a VulnCheck advisory. The NVD record shows the CVE as published on 2026-05-20 with vulnStatus Received. The provided metadata marks vendor confidence as low and needs review, so the product attribution should be validated against the linked sources before broad reporting.

Official resources