SQL Injection Vulnerability in Open ISES Tickets by Open ISES
CVE-2026-48239

7.1HIGH

Key Information:

Vendor

Open Ises

Status
Tickets
Vendor
CVE Published:
21 May 2026

What is CVE-2026-48239?

Open ISES Tickets prior to version 3.44.2 is susceptible to a SQL injection flaw in the ajax/reports.php script. The vulnerability occurs due to improper handling of the tick_id POST parameter, which is directly concatenated into the WHERE clause of SELECT statements. Attackers with authenticated access can exploit this weakness to craft malicious requests, potentially allowing them to read, modify, or delete database entries, thereby compromising the integrity of the application and its data.

Affected Version(s)

Tickets 0 < 3.44.2

References

https://github.com/openises/tickets/releases/tag/v3.44.2
release-notes
https://github.com/openises/tickets/commit/ecfeb406a01676...
patch
https://www.vulncheck.com/advisories/open-ises-tickets-sq...
third-party-advisory

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.