SQL Injection Vulnerability in osTicket by osTicket Inc.
CVE-2025-26241

6.5MEDIUM

Key Information:

Vendor: osTicket Inc.
Status: osTicket
Vendor: CVE Published:; 5 May 2025

🔔 Create osTicket Inc. Vulnerability Alert

What is CVE-2025-26241?

The 'Search' functionality within the 'tickets.php' page of osTicket versions prior to 1.17.5 is susceptible to a SQL injection vulnerability. Authenticated attackers can exploit this flaw by manipulating the 'keywords' and 'topic_id' URL parameters, allowing them to execute unauthorized SQL commands. This vulnerability poses a significant risk as it can lead to unauthorized access, data manipulation, or data leakage.

References

https://members.backbox.org/osticket-sql-injection-bypass/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2025
Vulnerability Reserved
Feb 7, 2025

CVE-2025-26241 Data

JSON