Reflected XSS Vulnerability in Open ISES Tickets by Open ISES
CVE-2026-48220

5.1MEDIUM

Key Information:

Vendor

Open Ises

Status
Tickets
Vendor
CVE Published:
21 May 2026

What is CVE-2026-48220?

The Open ISES Tickets application, prior to version 3.44.2, is susceptible to a reflected cross-site scripting (XSS) vulnerability. This issue arises from the improper sanitization of user-supplied input through the frm_add_str POST parameter within the ics205.php file. Authenticated attackers can exploit this vulnerability by sending specially crafted requests that inject malicious JavaScript code. Once executed, the malicious payload runs in the browser of unsuspecting users when the application’s response is processed, potentially leading to a range of harmful effects.

Affected Version(s)

Tickets 0 < 3.44.2

References

https://github.com/openises/tickets/releases/tag/v3.44.2
release-notes
https://github.com/openises/tickets/commit/ecfeb406a01676...
patch
https://www.vulncheck.com/advisories/open-ises-tickets-re...
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.