PatchSiren cyber security CVE debrief
CVE-2026-8194 Vuldb CVE debrief
CVE-2026-8194 is a low-severity cross-site request forgery issue reported in osTicket versions up to 1.18.3. The source record says the problem is in include/class.dispatcher.php within the Dispatcher component and can be triggered by manipulating the _method argument. The same source also notes that the issue was publicly disclosed and that the project was notified early via a pull request, but had not reacted at the time of publication.
- Vendor
- Vuldb
- Product
- Unknown
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-09
- Original CVE updated
- 2026-05-09
- Advisory published
- 2026-05-09
- Advisory updated
- 2026-05-09
Who should care
Administrators and security teams running osTicket installations up to 1.18.3, especially environments that expose authenticated administrative or ticket-management workflows in a browser.
Technical summary
The source corpus describes a CSRF weakness in osTicket's Dispatcher logic where the _method parameter can influence request handling in a way that permits unauthorized state-changing actions through a victim's browser. The record maps the issue to CWE-352 and CWE-862 and rates it low severity overall, with network attack vector and user interaction required. The available material does not include a vendor patch notice or a confirmed fixed release in the supplied corpus.
Defensive priority
Monitor and remediate opportunistically. This is not described as a high-severity or mass-exploitation issue in the provided record, but it can still enable unauthorized actions in authenticated sessions and should be addressed in normal patch cycles.
Recommended defensive actions
- Inventory osTicket deployments and confirm whether any instance is running version 1.18.3 or earlier.
- Review authenticated workflows for CSRF protections, especially any request-routing logic that depends on the _method parameter.
- Apply the vendor fix or upgrade as soon as an official patched release is available from the project.
- If immediate patching is not possible, reduce exposure by limiting access to the admin interface and enforcing strong browser-side session protections where applicable.
- Validate that state-changing endpoints require robust anti-CSRF controls and are not relying solely on request method spoofing or client-supplied parameters.
Evidence notes
This debrief is based only on the supplied NVD-modified record and its linked references. The source record explicitly states osTicket up to 1.18.3 is affected, identifies include/class.dispatcher.php and the _method argument as the issue area, and associates the weakness with CWE-352 and CWE-862. The record also says the exploit was publicly disclosed and that the project was informed early through a pull request. No exploit code, reproduction steps, or unverified patch details were used.
Official resources
Public disclosure is indicated in the source corpus. The record states the exploit has been disclosed publicly and that the project was informed early via a pull request, but no reaction had been made at the time of the source update.