Skip to main content

Open ISES Tickets CVE-2026-48229

| EUVD-2026-31309 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-21 VulnCheck GHSA-69pg-x7ch-rf7g
PHP XSS
5.1
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 21, 2026 - 18:38 vuln.today
Analysis Generated
May 21, 2026 - 18:38 vuln.today
CVSS changed
May 21, 2026 - 18:22 NVD
5.4 (MEDIUM) 5.1 (MEDIUM)

DescriptionNVD

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_i.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into HTML form hidden input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

AnalysisAI

Reflected XSS in Open ISES Tickets (all versions before 3.44.2) allows injection of arbitrary JavaScript via the unsanitized ticket_id GET parameter in routes_i.php, rendered directly into HTML form hidden input value attributes. When a victim visits or is redirected to a crafted URL, the payload executes in their browser within the application's security context. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-48229 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy