SQL Injection Vulnerability in Open ISES Tickets by Open ISES
CVE-2026-48236

7.1HIGH

Key Information:

Vendor

Open Ises

Status
Tickets
Vendor
CVE Published:
21 May 2026

What is CVE-2026-48236?

The Open ISES Tickets software prior to version 3.44.2 contains a vulnerability in the db_loader.php file, which is susceptible to SQL injection attacks. Multiple POST parameters—including ticketsdb, ticketshost, ticketsuser, and ticketspassword—are used without proper sanitization, allowing authenticated attackers to manipulate dynamic SQL queries. By crafting specific requests, attackers can read, modify, or even destroy sensitive database contents, posing significant risks to data integrity and confidentiality.

Affected Version(s)

Tickets 0 < 3.44.2

References

https://github.com/openises/tickets/releases/tag/v3.44.2
release-notes
https://github.com/openises/tickets/commit/ecfeb406a01676...
patch
https://www.vulncheck.com/advisories/open-ises-tickets-sq...
third-party-advisory

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.