PatchSiren cyber security CVE debrief
CVE-2026-35014 openises CVE debrief
CVE-2026-35014 is a reflected cross-site scripting issue in Open ISES Tickets affecting versions before 3.44.2. An authenticated attacker can supply a crafted ticket_id value that is reflected into a hidden input field without proper sanitization, causing arbitrary JavaScript to run in a victim’s browser when the malicious URL is opened.
- Vendor
- openises
- Product
- tickets
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-21
Who should care
Teams running Open ISES Tickets, especially administrators responsible for web application patching, security reviewers validating reflected user input, and anyone who relies on authenticated browser sessions to use the application. Because the issue is triggered through a crafted link and affects browser-side behavior, users who may click shared application URLs should also be considered.
Technical summary
The vulnerable code path is routes_nm.php. The ticket_id GET parameter is passed into a hidden input field VALUE attribute without adequate output handling, creating a CWE-79 reflected XSS condition. The supplied advisory and NVD record indicate the issue is addressed in Open ISES Tickets v3.44.2, with a repository commit and release tag cited as remediation references.
Defensive priority
Medium priority. The CVSS score is 5.1 and the attack requires user interaction, but successful exploitation can execute script in a victim’s browser and may impact authenticated users. Patch promptly if the application is internet-facing or widely used by trusted users.
Recommended defensive actions
- Upgrade Open ISES Tickets to version 3.44.2 or later.
- Verify deployed instances are not running any affected pre-3.44.2 builds, including forks or packaged copies.
- Review application code for reflected parameters in routes_nm.php and ensure output encoding is applied before inserting values into HTML attributes.
- Add or tighten server-side validation for ticket_id and related request parameters.
- Treat unexpected or user-supplied application links as suspicious and reinforce user awareness around crafted URLs.
- Consider defense-in-depth controls such as a restrictive Content Security Policy to reduce the impact of XSS.
Evidence notes
The CVE description states that Open ISES Tickets before 3.44.2 contains a reflected XSS vulnerability in routes_nm.php via the ticket_id GET parameter. The NVD record and the VulnCheck advisory both reference the same issue, and the advisory links an Open ISES Tickets repository commit plus the v3.44.2 release as remediation references. Published and modified timestamps in the supplied timeline are identical at 2026-05-20T20:16:38.780Z.
Official resources
Published and recorded on 2026-05-20T20:16:38.780Z. The supplied sources attribute the advisory to VulnCheck, with NVD reflecting the CVE at the same timestamp and linking the repository commit and v3.44.2 release reference.