PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-35015 openises CVE debrief

CVE-2026-35015 is a reflected cross-site scripting (XSS) vulnerability in Open ISES Tickets before version 3.44.2. According to the supplied advisory and NVD record, the issue is in do_unit_mail.php, where an unsanitized the_ticket GET parameter is inserted into a JavaScript variable assignment. That can let an authenticated attacker cause script execution in a victim’s browser when a crafted URL is visited. The upstream fix is associated with the v3.44.2 release and the referenced commit.

Vendor
openises
Product
tickets
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-21
Advisory published
2026-05-20
Advisory updated
2026-05-21

Who should care

Administrators and developers running Open ISES Tickets instances prior to 3.44.2, especially environments where authenticated users can be induced to open crafted links.

Technical summary

The vulnerability is a reflected XSS issue (CWE-79) in do_unit_mail.php. The supplied description says the_ticket is passed from the URL directly into JavaScript without proper sanitization, creating an injection point in client-side script context. The NVD record reflects a network-reachable issue with user interaction required (a victim must visit the crafted URL), and the published references point to the upstream fix commit and the v3.44.2 release tag.

Defensive priority

Medium. This is not a code-execution or server-side compromise issue, but reflected XSS can still lead to session theft, account actions performed in the victim’s context, or trusted-user abuse. Priority increases if the application is exposed to many authenticated users or handles sensitive ticket data.

Recommended defensive actions

  • Upgrade Open ISES Tickets to version 3.44.2 or later.
  • Review do_unit_mail.php and any similar code paths that place request parameters into JavaScript contexts.
  • Ensure the_ticket and other request parameters are output-encoded for the correct context before insertion into HTML or JavaScript.
  • Add server-side input validation for request parameters, but do not rely on validation alone as a substitute for output encoding.
  • Audit logs and user reports for suspicious crafted links targeting authenticated users.
  • If immediate upgrade is not possible, apply temporary access controls or filtering around the affected functionality until remediation is complete.

Evidence notes

The source corpus identifies the issue as a reflected XSS in Open ISES Tickets before 3.44.2, with the_ticket in do_unit_mail.php as the injection point. The NVD record cites CWE-79 and includes references to an upstream commit and the v3.44.2 release tag. Vendor attribution remains low-confidence in the supplied metadata, so this debrief treats the product name as supplied by the disclosure text while keeping vendor guidance conservative.

Official resources

Publicly disclosed on 2026-05-20 in the supplied NVD/VulnCheck source set. The record and references indicate the fix was released in Open ISES Tickets v3.44.2, with an upstream commit linked as remediation context.