PatchSiren cyber security CVE debrief
CVE-2026-35012 openises CVE debrief
CVE-2026-35012 affects Open ISES Tickets before version 3.44.2 and is a reflected cross-site scripting issue in add_facnote.php. The issue occurs when an unsanitized ticket_id GET parameter is written into a hidden input field's value attribute, allowing attacker-controlled script to execute in a victim's browser when a crafted URL is visited. NVD and the VulnCheck advisory both point to a fix in the 3.44.2 release line.
- Vendor
- openises
- Product
- tickets
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-21
Who should care
Administrators and security teams responsible for Open ISES Tickets deployments, especially instances running versions earlier than 3.44.2. Help desk, ticketing, and support teams should also care because the vulnerable flow is tied to ticket note handling and can affect authenticated users who open crafted links.
Technical summary
The vulnerability is a reflected XSS (CWE-79) in add_facnote.php. An unsanitized ticket_id parameter is inserted into a hidden input element's VALUE attribute, which can break attribute context and enable JavaScript injection. The NVD record cites a fixing commit and the v3.44.2 release as references, indicating the issue was addressed in that version.
Defensive priority
Medium. The issue is externally reachable and can lead to script execution in a user's browser, but it requires user interaction and appears to require authenticated access to the affected function.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Review and, if needed, invalidate any links or workflows that pass ticket_id values into add_facnote.php.
- Audit the affected code path for output encoding and context-aware escaping before rendering HTML attributes.
- Add server-side validation for ticket_id to enforce expected format and reject unexpected characters.
- Use security headers such as a restrictive Content Security Policy to reduce the impact of any remaining XSS paths.
- Monitor logs for suspicious requests to add_facnote.php with unusual ticket_id values.
Evidence notes
The vulnerability description, affected version boundary, and CWE-79 classification come from the supplied CVE record and associated NVD metadata. NVD lists a fixing commit (ecfeb406a016766cae81c749e14b5145a9f2dbff), the v3.44.2 release tag, and the VulnCheck advisory as references. The vendor field in the supplied corpus is low confidence and marked for review, so this debrief focuses on the product and vulnerability details that are directly supported.
Official resources
Publicly disclosed on 2026-05-20 in the supplied NVD record and associated VulnCheck materials; the record was also modified the same day.