Reflected Cross-Site Scripting Vulnerability in Open ISES Tickets by Open ISES
CVE-2026-48219

5.1MEDIUM

Key Information:

Vendor

Open Ises

Status
Tickets
Vendor
CVE Published:
21 May 2026

What is CVE-2026-48219?

The Open ISES Tickets application is vulnerable to reflected cross-site scripting due to improper sanitization of user input in the ics202.php file. Authenticated attackers can exploit this vulnerability by sending crafted requests that contain JavaScript code injected via the frm_add_str POST parameter. When the manipulated data is included in the hidden input value of an HTML form, it may execute in a victim's browser, potentially leading to unauthorized actions and data theft. This vulnerability underscores the importance of robust input validation and sanitization practices in web applications.

Affected Version(s)

Tickets 0 < 3.44.2

References

https://github.com/openises/tickets/releases/tag/v3.44.2
release-notes
https://github.com/openises/tickets/commit/ecfeb406a01676...
patch
https://www.vulncheck.com/advisories/open-ises-tickets-re...
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.