CVE-2026-35009 openises CVE debrief

Who should care

Administrators, application owners, and security teams running Open ISES Tickets, especially instances on versions earlier than 3.44.2. Helpdesk or support staff who may open links shared through email, chat, or ticket comments are also relevant because the exploit requires user interaction.

Technical summary

The advisory describes a reflected XSS path in add_note.php. A request parameter named ticket_id is passed into HTML without proper output encoding and appears in a hidden input value attribute. If an authenticated attacker supplies a crafted URL, the browser can interpret injected script content in the page context when the victim visits the link. The supplied references point to a fix in Open ISES Tickets 3.44.2 and an associated GitHub commit.

Defensive priority

Medium priority. The vulnerability is browser-side and requires authentication plus user interaction, but it can still be impactful in internal ticketing systems where privileged users routinely follow shared links.

Recommended defensive actions

• Upgrade Open ISES Tickets to version 3.44.2 or later.
• Review add_note.php and related code paths for request parameters rendered into HTML attributes.
• Apply context-appropriate output encoding to ticket_id and any similar values before placing them in markup.
• If patching is delayed, limit access to the application and treat untrusted ticket links with caution.
• Monitor application logs for suspicious add_note.php requests that carry unexpected ticket_id values.

Evidence notes

This debrief is based on the supplied NVD record, the linked Vulncheck advisory, the GitHub commit reference, and the Open ISES Tickets 3.44.2 release tag. The CVE and NVD timestamps supplied in the corpus are both 2026-05-20T20:16:38.063Z. Vendor/product attribution in the source corpus is low-confidence, so the product name is taken from the vulnerability description and linked release references rather than vendor metadata.

Official resources