CVE-2026-35016 openises CVE debrief

Who should care

Administrators and users of Open ISES Tickets installations that expose the affected search functionality should care, especially where authenticated users can submit shared or linkable content that may reach other users.

Technical summary

The issue is a reflected XSS in search.php. According to the supplied advisory text, the frm_query POST parameter is not properly sanitized before being reflected into an HTML input element's VALUE attribute. Because the payload is reflected in a browser-rendered context, crafted input can execute script in the victim's session. The affected versions are those before 3.44.2, and the release tagged 3.44.2 is the referenced fix.

Defensive priority

Medium. The CVSS score is 5.1 (MEDIUM), but reflected XSS can still enable session abuse, phishing-style payload delivery, and actions performed in the context of a logged-in user.

Recommended defensive actions

• Upgrade Open ISES Tickets to version 3.44.2 or later.
• Review search.php and any related request handling to ensure user input is HTML-attribute encoded before rendering.
• Validate and encode the frm_query parameter on output rather than relying on request-side filtering alone.
• Check whether authenticated users can reach the affected search flow and limit exposure where possible.
• Use CSP and other browser-side hardening as defense-in-depth, but do not treat them as a substitute for fixing the application.

Evidence notes

The NVD record supplied for CVE-2026-35016 cites a VulnCheck advisory, a GitHub commit in the openises/tickets repository, and the v3.44.2 release tag as references. The vulnerability description in the supplied corpus states that search.php reflects the frm_query POST parameter into an HTML VALUE attribute without sanitization, enabling reflected XSS. Vendor attribution in the provided metadata is low confidence and marked for review.

Official resources