Reflected Cross-Site Scripting Vulnerability in Open ISES Tickets by Open ISES
CVE-2026-48225

5.1MEDIUM

Key Information:

Vendor

Open Ises

Status
Tickets
Vendor
CVE Published:
21 May 2026

What is CVE-2026-48225?

The Open ISES Tickets application prior to version 3.44.2 is susceptible to a reflected cross-site scripting (XSS) vulnerability found in landb.php. An attacker can exploit this flaw by sending a crafted request that includes an unsanitized value through the _type POST parameter. This value can be injected directly into an HTML form's hidden input value attribute. When the response is rendered, any embedded JavaScript payload could then execute within the browser of the victim, potentially leading to session hijacking, data manipulation, or other malicious actions.

Affected Version(s)

Tickets 0 < 3.44.2

References

https://github.com/openises/tickets/releases/tag/v3.44.2
release-notes
https://github.com/openises/tickets/commit/ecfeb406a01676...
patch
https://www.vulncheck.com/advisories/open-ises-tickets-re...
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.