These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-48249 affects Open ISES Tickets before 3.44.2. In the mobile (RouteMate) login flow, the application disables TLS certificate verification for outbound HTTPS requests, which can allow a network-positioned attacker to intercept or alter traffic in transit.
CVE-2026-48248 affects Open ISES Tickets before 3.44.2. In the login/authentication flow, the application issued outbound HTTPS requests with TLS certificate verification disabled, which means a network-path attacker could impersonate the remote endpoint and observe or alter in-transit data. Because this happens during authentication-related communication, the exposure may include API keys or session-bearing data.
CVE-2026-48247 affects Open ISES Tickets before 3.44.2, where shared helper code in incs/functions.inc.php disabled TLS certificate verification for outbound HTTPS requests. That creates a classic man-in-the-middle risk: an attacker on the path between the server and the remote endpoint can present a forged certificate and potentially observe or alter requests and responses in transit. The supplied adviso [truncated]
CVE-2026-48246 affects Open ISES Tickets before version 3.44.2. During incident report generation, ajax/reports.php makes outbound HTTPS requests for Google Maps Directions API lookups with TLS certificate verification disabled, which can let an attacker on the network path intercept or alter traffic. The issue is rated HIGH and is addressed in v3.44.2.
CVE-2026-48245 describes a secret exposure issue in Open ISES Tickets before version 3.44.2. A Google Maps API key was hardcoded in tables.php and committed to the public source repository, making it readable by anyone with access to the code. Because the key could be reused to make Google Maps Platform requests charged to the original Google Cloud project, the issue creates both abuse and billing risk. T [truncated]
CVE-2026-48243 describes a hardcoded WhitePages reverse-phone API key embedded in wp1.php in Open ISES Tickets before version 3.44.2. Because the key was committed to the public source repository, anyone with read access to the source tree could extract it and use it to make third-party API calls that could be billed to, or rate-limited against, the original account. The issue was published on 2026-05-21 [truncated]
CVE-2026-48242 affects Open ISES Tickets before 3.44.2. The issue is hardcoded MySQL connection credentials in import_mdb.php, which are stored in source code committed to the public repository. That makes valid database configuration values visible to anyone who can read the code, creating a serious credential-exposure risk if those values are reused in deployed systems.
CVE-2026-48241 is a critical credential-exposure issue in Open ISES Tickets versions before 3.44.2. The affected loader.php file contains hardcoded MySQL database credentials committed to the source repository. If an attacker can read the public source tree or access the file on a deployed system, they may recover the database username, password, and database name and attempt to connect to the database if [truncated]
CVE-2026-48240 is a high-severity SQL injection affecting Open ISES Tickets before 3.44.2. The vulnerable code in ajax/statistics.php concatenates tick_id and f_tick_id POST values into WHERE clauses in statistics rollup SELECT queries without sanitization, allowing authenticated attackers to change query behavior and potentially read, modify, or destroy database contents. A fix is present in the 3.44.2 r [truncated]
CVE-2026-48238 affects Open ISES Tickets before version 3.44.2. The issue is a SQL injection in ajax/mobile_main.php where the id GET parameter is concatenated into a SELECT WHERE clause used as a ticket-existence sanity check without sanitization. Because the request must be authenticated, the barrier to entry is lower than for a public unauthenticated flaw, and successful exploitation could let an attac [truncated]
CVE-2026-48237 affects Open ISES Tickets before version 3.44.2 and was published on 2026-05-21. The vulnerability is a SQL injection in message.php involving the frm_ticket_id and frm_resp_id POST parameters. Because those values are concatenated into WHERE clauses without sanitization, an authenticated attacker can alter query behavior and potentially read, modify, or destroy database contents. A fix is [truncated]
Open ISES Tickets versions before 3.44.2 are affected by an authenticated SQL injection in db_loader.php. The issue stems from multiple POST parameters being concatenated into mysqli connection arguments and dynamic SQL without sanitization, which can let an attacker alter query behavior and impact database contents. The referenced 3.44.2 release and fixing commit indicate a patch is available.
CVE-2026-48235 is a SQL injection flaw in Open ISES Tickets before version 3.44.2. The vulnerable code in incs/remotes.inc.php concatenates multiple fields parsed from external GPS tracking responses into SQL statements, creating a path for database manipulation if the remote tracker source is compromised or impersonated.
CVE-2026-48234 describes an authenticated SQL injection in Open ISES Tickets before version 3.44.2. The vulnerable code path concatenates the sort and dir GET parameters into an ORDER BY clause without sanitization, which can let an attacker alter query behavior. The stated impact includes unauthorized reading, modification, or destruction of database contents. The supplied CVSS 4.0 vector indicates netwo [truncated]
CVE-2026-48233 describes a SQL injection flaw in Open ISES Tickets before version 3.44.2. The issue is in ajax/sit_incidents.php, where the offset GET parameter is concatenated into a SQL LIMIT clause without sanitization. Because the vulnerable path is reachable by authenticated users, the risk is meaningful for environments that expose this feature to normal application accounts. The vendor attribution [truncated]
CVE-2026-48232 is a high-severity SQL injection in Open ISES Tickets before version 3.44.2. The issue is in ajax/fullsit_incidents.php, where the offset GET parameter is concatenated into a SQL LIMIT clause without sanitization. Because the application trusts attacker-controlled input in query construction, an authenticated attacker may alter database query behavior and potentially read, modify, or destro [truncated]
CVE-2026-48231 is an authenticated SQL injection vulnerability in Open ISES Tickets versions before 3.44.2. The issue is described in tables.php, where the POST parameters tablename, indexname, and sortby are concatenated into dynamic SELECT, UPDATE, and DELETE statements without sanitization. That can allow a crafted request to change query behavior and potentially read, modify, or destroy database conte [truncated]
CVE-2026-48230 describes a reflected cross-site scripting issue in Open ISES Tickets affecting ticketsmdb_import.php before version 3.44.2. According to the supplied vulnerability description, authenticated attackers could pass unsanitized POST values into HTML hidden input attributes and cause JavaScript to execute in a victim’s browser when the response is rendered. The available references point to an [truncated]
CVE-2026-48229 is a reflected cross-site scripting vulnerability in Open ISES Tickets versions before 3.44.2. The supplied advisory states that routes_i.php accepts an unsanitized ticket_id GET parameter and reflects it into HTML hidden input value attributes, allowing attacker-supplied JavaScript to execute in a victim's browser when the page renders. The linked fix is associated with the 3.44.2 release.
CVE-2026-48228 is a reflected cross-site scripting issue affecting Open ISES Tickets before version 3.44.2. The flaw is in patient_w.php, where unsanitized values from the id and ticket_id GET parameters are passed directly into an HTML form action URL. Because the response can echo attacker-controlled input into a browser-rendered page, an authenticated attacker can trigger script execution in a victim s [truncated]
CVE-2026-48227 is a reflected cross-site scripting issue in Open ISES Tickets, published on 2026-05-21. The flaw affects patient.php in versions before 3.44.2 and can let an authenticated attacker supply crafted id and ticket_id values that are rendered back into an HTML form action URL without proper sanitization. When a victim loads the affected response, the injected JavaScript can execute in the browser.
CVE-2026-48226 describes a reflected cross-site scripting issue in Open ISES Tickets versions before 3.44.2. The vulnerable code path is os_watch.php, where unsanitized ref and mode_orig POST parameters are passed into hidden form input value attributes, allowing attacker-supplied JavaScript to execute in a victim's browser when the response is rendered. The published fix points to version 3.44.2; defende [truncated]
CVE-2026-48225 is a reflected cross-site scripting issue in Open ISES Tickets versions before 3.44.2. The affected landb.php path passes an unsanitized _type POST parameter into an HTML hidden input value attribute, which can let an authenticated attacker inject JavaScript that executes in another user’s browser when the response is rendered. The issue was publicly recorded on 2026-05-21, with the fix ref [truncated]
CVE-2026-48224 is a reflected cross-site scripting flaw in the Open ISES Tickets project’s ics214.php handler. The supplied corpus says unsanitized frm_add_str POST data can be copied into an HTML hidden input value attribute, allowing attacker-supplied JavaScript to execute when the response is rendered. The issue is tied to the v3.44.2 release and a corresponding GitHub fix commit, while the NVD record [truncated]
CVE-2026-48223 is a reflected cross-site scripting issue in Open ISES Tickets affecting versions before 3.44.2. The flaw is tied to ics213rr.php, where an unsanitized frm_add_str POST parameter is placed directly into a hidden input value attribute, enabling JavaScript execution in a victim’s browser when the crafted response is rendered. The vulnerability was published on 2026-05-21 and NVD later listed [truncated]
CVE-2026-48222 is a reflected cross-site scripting issue in Open ISES Tickets before version 3.44.2. An authenticated attacker can place unsanitized input from the frm_add_str POST parameter into a hidden HTML input value in ics213.php, causing arbitrary JavaScript to execute when the page is rendered in a victim's browser. The reported CVSS severity is medium, and the flaw is categorized as CWE-79.
CVE-2026-48221 describes a reflected cross-site scripting issue in Open ISES Tickets affecting ics205a.php before version 3.44.2. The problem centers on the frm_add_str POST parameter being passed into an HTML hidden input value attribute without proper sanitization, allowing attacker-supplied script content to be reflected into the page. Vulnerability references point to a fixing commit and the v3.44.2 r [truncated]
CVE-2026-48220 describes a reflected cross-site scripting issue in Open ISES Tickets versions before 3.44.2. The vulnerable path is ics205.php, where the frm_add_str POST parameter is passed into an HTML hidden input value without sanitization. In practice, an authenticated attacker can submit a crafted request that causes arbitrary JavaScript to execute when the response is rendered in a victim’s browser [truncated]
CVE-2026-48219 covers a reflected cross-site scripting (XSS) issue in Open ISES Tickets before version 3.44.2. The vulnerable path is ics202.php, where an unsanitized value from the frm_add_str POST parameter is placed into an HTML hidden input value attribute. An authenticated attacker can supply a crafted request that causes browser-side JavaScript to execute when the response is rendered. NVD published [truncated]
CVE-2026-48218 was published on 2026-05-21 and describes a reflected cross-site scripting issue in Open ISES Tickets before version 3.44.2. The vulnerable path is icons/buttons/landb.php, where unsanitized frm_name and frm_id POST parameters are reflected into rendered HTML and inline JavaScript. The supplied sources indicate a fix is associated with the 3.44.2 release and a related code commit. NVD marke [truncated]
CVE-2026-48217 is a reflected cross-site scripting issue in Open ISES Tickets, affecting versions before 3.44.2. The flaw is in delete_module.php, where unsanitized POST inputs can flow into rendered HTML and form action attributes. Because the payload is executed in the browser when the response is rendered, an attacker with authentication and a way to induce a victim to load the crafted response could e [truncated]
CVE-2026-48216 is a reflected cross-site scripting issue reported in Open ISES Tickets before version 3.44.2. The issue is described as unsanitized POST parameters being inserted into HTML input value attributes in db_loader.php, allowing attacker-controlled JavaScript to run in a victim’s browser when the response is rendered. The published fix is associated with the v3.44.2 release and a linked repository commit.
CVE-2026-48215 is a reflected cross-site scripting issue in Open ISES Tickets before 3.44.2. Authenticated attackers can pass an unsanitized frm_id value to circle.php, where it is reflected into an HTML form input value attribute and can execute JavaScript in a victim's browser when the response is rendered. The issue is tracked by NVD with a published date of 2026-05-21 and references a fix commit plus [truncated]
CVE-2026-48213 is a reflected cross-site scripting issue in Open ISES Tickets prior to version 3.44.2. The problem is in add.php, where an unsanitized ticket_id POST value is inserted into an HTML form input value attribute. An authenticated attacker can send a crafted request so that malicious JavaScript executes in the victim’s browser when the response is rendered.