Reflected XSS Vulnerability in Open ISES Tickets by OpenISES
CVE-2026-48228

5.1MEDIUM

Key Information:

Vendor

Open Ises

Status
Tickets
Vendor
CVE Published:
21 May 2026

What is CVE-2026-48228?

Open ISES Tickets prior to version 3.44.2 contains a reflected cross-site scripting vulnerability in the patient_w.php file. The flaw allows authenticated attackers to insert arbitrary JavaScript by exploiting unsanitized inputs from the id and ticket_id GET parameters directly within an HTML form action URL. Cybercriminals can craft malicious requests containing JavaScript payloads, which, when processed, execute in the browsers of affected users upon rendering the response.

Affected Version(s)

Tickets 0 < 3.44.2

References

https://github.com/openises/tickets/releases/tag/v3.44.2
release-notes
https://github.com/openises/tickets/commit/ecfeb406a01676...
patch
https://www.vulncheck.com/advisories/open-ises-tickets-re...
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.