PatchSiren cyber security CVE debrief
CVE-2026-35008 openises CVE debrief
CVE-2026-35008 is a reflected cross-site scripting issue in Open ISES Tickets that was publicly disclosed on 2026-05-20. According to the supplied record, versions before 3.44.2 pass an unsanitized ticket_id GET parameter into an HTML attribute in single.php, allowing attacker-controlled JavaScript to run when a crafted link is opened. The issue is rated CVSS 5.1 (Medium) and is primarily a web-browser code execution risk triggered by user interaction.
- Vendor
- openises
- Product
- tickets
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-21
Who should care
Operators of Open ISES Tickets installations, especially those exposing ticket-view pages to end users or external traffic, should care. Security teams responsible for web application hardening, patch management, and input/output encoding reviews should also prioritize this finding.
Technical summary
The supplied description identifies a reflected XSS flaw in single.php where the ticket_id GET parameter is inserted into an HTML attribute without sanitization or proper contextual escaping. A malicious URL can therefore inject arbitrary JavaScript into the page rendered to the victim. The referenced upstream release v3.44.2 and commit are the only supplied remediation artifacts, and they indicate the issue was addressed in that version boundary.
Defensive priority
Medium priority overall, with higher urgency for internet-facing deployments or environments where users regularly open ticket links. The CVSS score is moderate, but the browser-executed payload can still enable credential theft, content manipulation, or phishing inside the application context if left unpatched.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Confirm the fix is present in any downstream forks, backports, or vendor repackaging.
- Review single.php and related templates for contextual output encoding of GET parameters, especially values placed into HTML attributes.
- Validate that ticket_id and similar request parameters are strictly validated and escaped before rendering.
- Add regression tests or security checks for reflected XSS in ticket-view flows.
- Review access logs and application telemetry for suspicious crafted ticket URLs prior to patching.
Evidence notes
The evidence base for this debrief is limited to the supplied NVD record, the linked Vulncheck advisory reference, the upstream GitHub commit, and the v3.44.2 release tag. The NVD item explicitly records vuln status as Received and includes the Vulncheck-provided description and CWE-79 classification. The supplied metadata also shows a vendor-confidence mismatch: the source description points to Open ISES Tickets, while the vendor field is marked Unknown Vendor with low confidence and needs review. The CVSS v4 vector indicates user interaction is required, while the description says authenticated attackers; treat privilege assumptions carefully and rely on the vendor advisory and patch artifacts for operational validation.
Official resources
Publicly disclosed in the supplied NVD record on 2026-05-20, with remediation references pointing to the upstream commit and the v3.44.2 release tag. No earlier issue date is asserted here beyond the provided publication timestamp.