Database Exposure Vulnerability in Open ISES Tickets by Open ISES
CVE-2026-48241

9.2CRITICAL

Key Information:

Vendor

Open Ises

Status
Tickets
Vendor
CVE Published:
21 May 2026

What is CVE-2026-48241?

Open ISES Tickets prior to version 3.44.2 has a significant security flaw that involves hardcoded MySQL database credentials in the loader.php file. This public-facing utility inadvertently exposes sensitive information, such as the database username, password, and name, to any user with access to the public source tree or a deployed installation where the file is accessible. An attacker can exploit this vulnerability by gaining read access, allowing them to connect to the database if it is reachable, risking potential data leakage and unauthorized operations.

Affected Version(s)

Tickets 0 < 3.44.2

References

https://github.com/openises/tickets/releases/tag/v3.44.2
release-notes
https://github.com/openises/tickets/commit/ecfeb406a01676...
patch
https://www.vulncheck.com/advisories/open-ises-tickets-ha...
third-party-advisory

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.