SQL Injection Vulnerability in Open ISES Tickets by Open ISES
CVE-2026-48240

7.1HIGH

Key Information:

Vendor

Open Ises

Status
Tickets
Vendor
CVE Published:
21 May 2026

What is CVE-2026-48240?

The Open ISES Tickets application prior to version 3.44.2 is susceptible to a SQL injection vulnerability due to unsanitized input in the ajax/statistics.php file. Specifically, the tick_id and f_tick_id POST parameters are directly used in the WHERE clauses of SELECT statements within database queries. This flaw can be exploited by authenticated attackers who can craft specific requests to manipulate query logic, potentially allowing them to read, alter, or delete database information. Timely updates are critical to mitigating the risks associated with this vulnerability.

Affected Version(s)

Tickets 0 < 3.44.2

References

https://github.com/openises/tickets/releases/tag/v3.44.2
release-notes
https://github.com/openises/tickets/commit/ecfeb406a01676...
patch
https://www.vulncheck.com/advisories/open-ises-tickets-sq...
third-party-advisory

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.