These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-35016 is a reflected cross-site scripting issue reported in Open ISES Tickets before version 3.44.2. The vulnerability is described as an unsanitized frm_query POST value being inserted into an HTML input field VALUE attribute in search.php, which can let a logged-in attacker trigger JavaScript execution in a victim’s browser. The fixed release is 3.44.2.
CVE-2026-35015 is a reflected cross-site scripting (XSS) vulnerability in Open ISES Tickets before version 3.44.2. According to the supplied advisory and NVD record, the issue is in do_unit_mail.php, where an unsanitized the_ticket GET parameter is inserted into a JavaScript variable assignment. That can let an authenticated attacker cause script execution in a victim’s browser when a crafted URL is visit [truncated]
CVE-2026-35014 is a reflected cross-site scripting issue in Open ISES Tickets affecting versions before 3.44.2. An authenticated attacker can supply a crafted ticket_id value that is reflected into a hidden input field without proper sanitization, causing arbitrary JavaScript to run in a victim’s browser when the malicious URL is opened.
CVE-2026-35013 is a reflected cross-site scripting issue in Open ISES Tickets before version 3.44.2. The problem is described as unsanitized thelat and thelng GET parameters being inserted directly into JavaScript variable assignments in street_view.php, which can let a crafted link execute attacker-controlled script in a victim’s browser when the URL is visited. The supplied data identifies CWE-79 and a [truncated]
CVE-2026-35012 affects Open ISES Tickets before version 3.44.2 and is a reflected cross-site scripting issue in add_facnote.php. The issue occurs when an unsanitized ticket_id GET parameter is written into a hidden input field's value attribute, allowing attacker-controlled script to execute in a victim's browser when a crafted URL is visited. NVD and the VulnCheck advisory both point to a fix in the 3.44 [truncated]
CVE-2026-35011 is a reflected cross-site scripting issue in Open ISES Tickets before version 3.44.2. According to the provided advisory and NVD record, the opena.php endpoint can reflect an unsanitized frm_call GET parameter into page output, allowing JavaScript injection in a victim’s browser when a crafted URL is visited. NVD lists the issue as CVSS 5.1/Medium, and the referenced fix is included in the [truncated]
CVE-2026-35010 affects Open ISES Tickets versions before 3.44.2 and is described as a reflected cross-site scripting issue in patient_JF.php. The supplied records say an unsanitized ticket_id value is placed into a JavaScript variable assignment, allowing a crafted URL to trigger script execution in the victim’s browser. The references point to a fix in v3.44.2, plus a related GitHub commit and VulnCheck advisory.
CVE-2026-35009 is a reflected cross-site scripting issue reported in Open ISES Tickets before version 3.44.2. The published description says an unsanitized ticket_id GET parameter is reflected into a hidden input VALUE attribute in add_note.php, allowing an authenticated attacker to inject JavaScript that runs in a victim's browser when a crafted URL is opened. The linked 3.44.2 release and commit indicat [truncated]
CVE-2026-35008 is a reflected cross-site scripting issue in Open ISES Tickets that was publicly disclosed on 2026-05-20. According to the supplied record, versions before 3.44.2 pass an unsanitized ticket_id GET parameter into an HTML attribute in single.php, allowing attacker-controlled JavaScript to run when a crafted link is opened. The issue is rated CVSS 5.1 (Medium) and is primarily a web-browser co [truncated]
CVE-2026-35007 describes a reflected cross-site scripting issue in Open ISES Tickets before version 3.44.2. The flaw is in single_unit.php, where an unsanitized id GET parameter is passed into an HTML attribute. An authenticated attacker can craft a malicious URL so that JavaScript executes when a victim opens the link. The CVE was published on 2026-05-20 and no KEV entry is provided in the supplied corpus.