Open ISES Tickets Vulnerability in Outbound HTTPS Requests
CVE-2026-48247

8.2HIGH

Key Information:

Vendor

Open Ises

Status
Tickets
Vendor
CVE Published:
21 May 2026

What is CVE-2026-48247?

The Open ISES Tickets application prior to version 3.44.2 contains a vulnerability that disables TLS certificate verification when making outbound HTTPS requests. Specifically, by setting CURLOPT_SSL_VERIFYPEER to false and failing to set CURLOPT_SSL_VERIFYHOST, the application exposes itself to potential security risks. An attacker could exploit this weakness by inserting themselves into the network path between the application server and external resources, allowing them to present a fraudulent SSL certificate. This can lead to interception, monitoring, or modification of sensitive information, such as API keys or user session data, thereby posing a significant threat to data integrity and confidentiality.

Affected Version(s)

Tickets 0 < 3.44.2

References

https://github.com/openises/tickets/releases/tag/v3.44.2
release-notes
https://github.com/openises/tickets/commit/ecfeb406a01676...
patch
https://www.vulncheck.com/advisories/open-ises-tickets-di...
third-party-advisory

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.