Reflected Cross-Site Scripting in Open ISES Tickets by OpenISES
CVE-2026-35014

5.1MEDIUM

Key Information:

Vendor: Openises
Status: Tickets
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-35014?

Open ISES Tickets prior to version 3.44.2 contains a reflected cross-site scripting vulnerability in the routes_nm.php file. Authenticated attackers can exploit this by injecting arbitrary JavaScript into a hidden input field as a result of passing an unsanitized value through the ticket_id GET parameter. By crafting a malicious URL that includes a JavaScript payload within the ticket_id parameter, attackers can execute scripts in the browsers of unsuspecting users when the compromised URL is accessed.

Affected Version(s)

tickets 0

References

https://github.com/openises/tickets/releases/tag/v3.44.2

release-notes

https://github.com/openises/tickets/commit/ecfeb406a01676...

patch

https://www.vulncheck.com/advisories/open-ises-tickets-re...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
Mar 31, 2026

Credit

philopentest

VulnCheck

CVE-2026-35014 Data

JSON

Openises

What is CVE-2026-35014?

Affected Version(s)

References

CVSS V4

Timeline

Credit