CVE-2026-35013 openises CVE debrief

Who should care

Administrators and maintainers of Open ISES Tickets deployments, especially any instance exposing street_view.php to users. Security teams should prioritize systems running versions earlier than 3.44.2 and any workflows where users may click or open application links.

Technical summary

According to the supplied NVD record and referenced disclosure, street_view.php in Open ISES Tickets accepts thelat and thelng GET parameters and places their values into JavaScript without proper sanitization or escaping. That creates a reflected XSS condition: an attacker can supply a crafted URL so the malicious payload is rendered in the response and executes in the browser of a user who follows the link. The affected range is stated as versions before 3.44.2.

Defensive priority

Medium. The issue requires a user to open a crafted URL, but it still enables script execution in the web application’s origin, so exposed deployments should be updated promptly to the fixed version.

Recommended defensive actions

• Upgrade Open ISES Tickets to version 3.44.2 or later.
• Review street_view.php and related code paths for unsafe interpolation of request parameters into JavaScript.
• Apply context-appropriate output encoding or server-side validation for thelat and thelng values.
• Check for any exposed links or workflows that may allow users to reach the vulnerable page.
• Use security testing to verify that reflected input is no longer executable after patching.

Evidence notes

The description and weakness mapping in the supplied source item identify reflected XSS in street_view.php, affected versions before 3.44.2, and CWE-79. The reference set includes a Git commit, the v3.44.2 release tag, and a Vulncheck advisory URL, but the full advisory content was not provided in the corpus.

Official resources