Stored XSS Vulnerability in osTicket Affects Multiple Versions
CVE-2026-36214

5.4MEDIUM

Key Information:

Vendor

osTicket

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-36214?

Certain versions of osTicket are susceptible to a stored Cross-Site Scripting (XSS) vulnerability caused by the insecure implementation of a Bootstrap Tooltip component and inadequate HTML sanitization. This flaw enables remote attackers to inject and execute arbitrary JavaScript code within Agent or Admin sessions, potentially compromising sensitive data or user interactions. Users are advised to upgrade to the latest version to patch this vulnerability.

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.