EUVD-2026-31316
GHSA-646p-2m5f-7gm9
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionNVD
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in portal/ajax/list_requests.php where the sort and dir GET parameters are concatenated into the ORDER BY clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.
AnalysisAI
SQL injection in Open ISES Tickets versions prior to 3.44.2 allows authenticated attackers to manipulate ORDER BY clauses via the sort and dir GET parameters in portal/ajax/list_requests.php, enabling unauthorized read, modification, or destruction of database contents. The CVSS 4.0 score of 7.1 reflects network-reachable exploitation with low privileges and no user interaction required. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify and inventory all systems running Open ISES Tickets; confirm current version and review access logs for suspicious database queries. Within 7 days: Upgrade all instances to version 3.44.2; validate patch in staging environment before production deployment. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today