Stored XSS Vulnerability in osTicket Affects Multiple Versions
CVE-2026-36214
5.4MEDIUM
What is CVE-2026-36214?
Certain versions of osTicket are susceptible to a stored Cross-Site Scripting (XSS) vulnerability caused by the insecure implementation of a Bootstrap Tooltip component and inadequate HTML sanitization. This flaw enables remote attackers to inject and execute arbitrary JavaScript code within Agent or Admin sessions, potentially compromising sensitive data or user interactions. Users are advised to upgrade to the latest version to patch this vulnerability.
