Arbitrary File Read Vulnerability in osTicket by Enhancesoft
CVE-2026-22200

8.7HIGH

Key Information:

Vendor

Enhancesoft

Status
Osticket
Vendor
CVE Published:
12 January 2026

Badges

πŸ“ˆ Score: 851πŸ‘Ύ Exploit Exists🟑 Public PoC🟣 EPSS 73%

What is CVE-2026-22200?

CVE-2026-22200 is a significant security vulnerability affecting the osTicket support ticketing system developed by Enhancesoft. This vulnerability is classified as an arbitrary file read issue within the ticket PDF export functionality. Specifically, it arises from insufficient sanitization of crafted rich-text HTML input, which includes PHP filter expressions. Attackers can leverage this flaw by submitting a specially crafted ticket, leading to the generation of PDF exports that can embed sensitive files from the server's filesystem as bitmap images. This situation can severely compromise an organization's data security, as sensitive local files may be disclosed to unauthorized users, potentially allowing access to confidential information.

The problem is particularly acute in default configurations of osTicket, where guest users are permitted to create tickets or when self-registration features are enabled. Consequently, organizations utilizing osTicket are at risk, especially if they have not yet updated to defensive versions that mitigate this vulnerability, specifically versions prior to 1.18.3 and 1.17.7.

Potential Impact of CVE-2026-22200

  1. Data Exposure: The primary risk associated with CVE-2026-22200 is the unauthorized disclosure of sensitive information. Since attackers can craft tickets that reveal local filesystem files, sensitive data, including personally identifiable information (PII) and proprietary business information, may be compromised.

  2. System Misconfiguration and Exploitation: Given that the vulnerability is exploitable in configurations where guest ticket submissions are allowed, it opens a pathway for attackers to exploit poorly secured systems. Organizations that fail to properly restrict access could face critical security breaches, leading to a loss of trust and reputational damage.

  3. Increased Attack Surface for Ransomware: While the vulnerability itself may not be directly linked to known ransomware activity, the exposure of sensitive files could potentially aid ransomware groups or other malicious actors in further compromising systems. Revealed sensitive files might contain credentials or other critical information that could facilitate broader attacks.

Affected Version(s)

osTicket Linux 1.18.0 < 1.18.3

osTicket Linux 1.17.0 < 1.17.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-22200 - Proof of Concept

CVE-2026-22200
Created by horizon3ai

References

https://github.com/osTicket/osTicket/releases/tag/v1.18.3
release-notes
https://github.com/osTicket/osTicket/releases/tag/v1.17.7
release-notes
https://github.com/osTicket/osTicket/commit/c59b067
patch

EPSS Score

73% chance of being exploited in the next 30 days.

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Naveen Sunkavally, Horizon3.ai
.