Reflected Cross-Site Scripting in Open ISES Tickets by Open ISES
CVE-2026-35012

5.1MEDIUM

Key Information:

Vendor: Openises
Status: Tickets
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-35012?

Open ISES Tickets prior to version 3.44.2 contains a reflected cross-site scripting vulnerability in the add_facnote.php file. This flaw enables authenticated attackers to inject arbitrary JavaScript by submitting an unsanitized value through the ticket_id parameter in a GET request. When a user visits the crafted URL, the malicious JavaScript executes in their browser, potentially leading to data theft or session hijacking.

Affected Version(s)

tickets 0

References

https://github.com/openises/tickets/releases/tag/v3.44.2

release-notes

https://github.com/openises/tickets/commit/ecfeb406a01676...

patch

https://www.vulncheck.com/advisories/open-ises-tickets-re...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
Mar 31, 2026

Credit

philopentest

VulnCheck

CVE-2026-35012 Data

JSON

Openises

What is CVE-2026-35012?

Affected Version(s)

References

CVSS V4

Timeline

Credit