PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-35010 openises CVE debrief

CVE-2026-35010 affects Open ISES Tickets versions before 3.44.2 and is described as a reflected cross-site scripting issue in patient_JF.php. The supplied records say an unsanitized ticket_id value is placed into a JavaScript variable assignment, allowing a crafted URL to trigger script execution in the victim’s browser. The references point to a fix in v3.44.2, plus a related GitHub commit and VulnCheck advisory.

Vendor
openises
Product
tickets
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-21
Advisory published
2026-05-20
Advisory updated
2026-05-21

Who should care

Administrators and maintainers of Open ISES Tickets installations, especially any environment exposing patient_JF.php or allowing users to open links containing ticket_id parameters. Security teams should prioritize any externally reachable or broadly used deployment where authenticated users may be induced to visit a crafted URL.

Technical summary

The vulnerability is a reflected XSS issue (CWE-79) in patient_JF.php. According to the supplied description, the application takes the ticket_id GET parameter and inserts it directly into a JavaScript variable assignment without proper sanitization, enabling browser-side script execution when a crafted link is opened. The supplied NVD metadata records a network-reachable issue with user interaction required in the CVSS v4.0 vector, and the provided references indicate the issue was addressed in version 3.44.2.

Defensive priority

Medium. This is not a code-execution flaw on the server, but it can still enable browser-side compromise, session abuse, or malicious page behavior if users open a crafted link. Prioritize patching if the application is internet-facing, widely used, or accessible to privileged users.

Recommended defensive actions

  • Upgrade Open ISES Tickets to version 3.44.2 or later.
  • Verify that the deployed build includes the fix referenced by the supplied GitHub commit.
  • Review patient_JF.php and related templates for unsafe insertion of request parameters into JavaScript contexts.
  • Use context-appropriate encoding or safe serialization when embedding request data in scripts.
  • Restrict access to affected instances or the vulnerable feature until remediation is complete.
  • Add or review input validation and content-security controls, but treat them as defense-in-depth rather than a replacement for patching.
  • Check logs for unusual requests targeting ticket_id and follow up on suspicious user-reported links.

Evidence notes

The supplied source corpus consistently ties this CVE to a reflected XSS issue in patient_JF.php and names ticket_id as the injection point. The references include a GitHub commit, the v3.44.2 release tag, and a VulnCheck advisory; no KEV entry was supplied. The vendor identity in the source item is not firmly established, so the product identification should be treated as source-backed but not fully normalized.

Official resources

Publicly disclosed in the supplied NVD record on 2026-05-20. The source references point to a VulnCheck advisory, a GitHub commit, and the Open ISES Tickets v3.44.2 release tag. No CISA KEV entry was supplied.