SQL Injection Vulnerability in Open ISES Tickets by Open ISES
CVE-2026-48235

8.8HIGH

Key Information:

Vendor

Open Ises

Status
Tickets
Vendor
CVE Published:
21 May 2026

What is CVE-2026-48235?

The Open ISES Tickets application prior to version 3.44.2 contains a SQL injection vulnerability found in the incs/remotes.inc.php file. This issue arises from the improper handling of user inputs parsed from external GPS tracking services, including latitude, longitude, callsign, mph, altitude, and timestamp data. An attacker leveraging access to a compromised or impersonated GPS tracking endpoint can inject malicious SQL queries into the application. This could lead to unauthorized manipulation of responder locations, track data, and assignment records, posing a significant risk to application integrity and the security of sensitive information.

Affected Version(s)

Tickets 0 < 3.44.2

References

https://github.com/openises/tickets/releases/tag/v3.44.2
release-notes
https://github.com/openises/tickets/commit/ecfeb406a01676...
patch
https://www.vulncheck.com/advisories/open-ises-tickets-sq...
third-party-advisory

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.