SQL Injection Vulnerability in Open ISES Tickets by Open ISES
CVE-2026-48233

7.1HIGH

Key Information:

Vendor

Open Ises

Status
Tickets
Vendor
CVE Published:
21 May 2026

What is CVE-2026-48233?

The Open ISES Tickets application prior to version 3.44.2 is vulnerable to a SQL injection flaw. This issue arises in the ajax/sit_incidents.php file, where the unsanitized 'offset' GET parameter is directly used in the LIMIT clause of a SQL SELECT query. This can enable authenticated attackers to manipulate the database queries, allowing them to read, modify, or potentially destroy critical database contents. It is crucial for users of this software to upgrade to the latest version to mitigate this risk.

Affected Version(s)

Tickets 0 < 3.44.2

References

https://github.com/openises/tickets/releases/tag/v3.44.2
release-notes
https://github.com/openises/tickets/commit/ecfeb406a01676...
patch
https://www.vulncheck.com/advisories/open-ises-tickets-sq...
third-party-advisory

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.