Reflected Cross-Site Scripting Vulnerability in Open ISES Tickets by Open ISES
CVE-2026-35013

5.1MEDIUM

Key Information:

Vendor: Openises
Status: Tickets
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-35013?

An injected vulnerability in Open ISES Tickets prior to version 3.44.2 allows authenticated attackers to exploit reflected cross-site scripting. By manipulating the 'thelat' and 'thelng' GET parameters, an attacker can pass unsanitized input, enabling them to execute arbitrary JavaScript in a victim's browser. This attack can lead to unauthorized actions or data exposure when a user visits a crafted URL.

Affected Version(s)

tickets 0

References

https://github.com/openises/tickets/releases/tag/v3.44.2

release-notes

https://github.com/openises/tickets/commit/ecfeb406a01676...

patch

https://www.vulncheck.com/advisories/open-ises-tickets-re...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
Mar 31, 2026

Credit

philopentest

VulnCheck

CVE-2026-35013 Data

JSON

Openises

What is CVE-2026-35013?

Affected Version(s)

References

CVSS V4

Timeline

Credit