Skip to main content

Open ISES Tickets CVE-2026-48227

| EUVD-2026-31307 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-21 VulnCheck GHSA-mwhq-jcwc-pqhp
PHP XSS
5.1
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 21, 2026 - 18:44 vuln.today
Analysis Generated
May 21, 2026 - 18:44 vuln.today
CVSS changed
May 21, 2026 - 18:22 NVD
5.4 (MEDIUM) 5.1 (MEDIUM)

DescriptionNVD

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form action URL. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

AnalysisAI

Reflected XSS in Open ISES Tickets before 3.44.2 exposes authenticated users to arbitrary JavaScript execution via unsanitized GET parameters in patient.php. The vulnerability exists in the id and ticket_id parameters, whose values are written directly into an HTML form action URL without output encoding, enabling an attacker to craft a malicious link that executes script in the victim's browser upon rendering. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-48227 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy