PatchSiren cyber security CVE debrief
CVE-2026-35011 openises CVE debrief
CVE-2026-35011 is a reflected cross-site scripting issue in Open ISES Tickets before version 3.44.2. According to the provided advisory and NVD record, the opena.php endpoint can reflect an unsanitized frm_call GET parameter into page output, allowing JavaScript injection in a victim’s browser when a crafted URL is visited. NVD lists the issue as CVSS 5.1/Medium, and the referenced fix is included in the 3.44.2 release.
- Vendor
- openises
- Product
- tickets
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-21
Who should care
Organizations running Open ISES Tickets versions prior to 3.44.2, especially teams with authenticated users who can access opena.php or share URLs inside the application. Security teams should also care if the application is used in a browser session where reflected content could execute in a trusted user’s context.
Technical summary
The vulnerability is a reflected XSS (CWE-79) in opena.php. The frm_call GET parameter is described as being passed into page output without proper sanitization, which can let an attacker supply JavaScript that executes in the browser of a user who opens the malicious link. The source corpus ties remediation to the v3.44.2 release and a corresponding repository commit. The provided NVD vector and the advisory should be treated as the authoritative basis for scope and severity.
Defensive priority
Medium. Prioritize if Open ISES Tickets is internet-facing, used by many internal users, or reachable by users with elevated trust in the application, because successful XSS can steal session data, perform actions in the user’s context, or support phishing within the app.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Review opena.php and any related request handling for output encoding and input validation on frm_call.
- Treat user-supplied query parameters as untrusted and ensure they are safely escaped before rendering in HTML or script contexts.
- If immediate upgrade is not possible, consider restricting access to affected interfaces and monitoring for suspicious URLs containing unexpected frm_call values.
- Validate that security controls such as CSP and session protections are in place, while recognizing they do not replace the code fix.
Evidence notes
Supported by the NVD CVE record for CVE-2026-35011 and the VulnCheck advisory references included in the source corpus. The corpus cites the Open ISES Tickets repository commit ecfeb406a016766cae81c749e14b5145a9f2dbff and the v3.44.2 release tag as the remediation references. Published and modified timestamps in the supplied record are 2026-05-20T20:16:38.350Z.
Official resources
Disclosed in the supplied source corpus on 2026-05-20; treat that date as the CVE publication context, not as a remediation or exploitation date.