Reflected Cross-Site Scripting in Open ISES Tickets by OpenISES
CVE-2026-48224

5.1MEDIUM

Key Information:

Vendor

Open Ises

Status
Tickets
Vendor
CVE Published:
21 May 2026

What is CVE-2026-48224?

Open ISES Tickets prior to version 3.44.2 contains a reflected cross-site scripting vulnerability located in the ics214.php file. This vulnerability allows authenticated attackers to inject arbitrary JavaScript code by exploiting the unsanitized frm_add_str POST parameter. By crafting a specially designed request that includes a malicious JavaScript payload, an attacker can execute scripts in the context of the victim's browser, potentially leading to unauthorized actions or data exposure. The vulnerability can be effectively mitigated through the update available in version 3.44.2.

Affected Version(s)

Tickets 0 < 3.44.2

References

https://github.com/openises/tickets/releases/tag/v3.44.2
release-notes
https://github.com/openises/tickets/commit/ecfeb406a01676...
patch
https://www.vulncheck.com/advisories/open-ises-tickets-re...
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.