Skip to main content

Open ISES Tickets CVE-2026-48238

| EUVD-2026-31319 HIGH
SQL Injection (CWE-89)
2026-05-21 VulnCheck GHSA-8wx2-2gr7-3c4q
PHP SQLi
7.1
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
May 21, 2026 - 18:35 vuln.today
Analysis Generated
May 21, 2026 - 18:35 vuln.today

DescriptionNVD

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/mobile_main.php where the id GET parameter is concatenated into the WHERE clause of a SELECT statement used as a ticket-existence sanity check without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.

AnalysisAI

SQL injection in Open ISES Tickets before 3.44.2 allows authenticated attackers to manipulate database queries via the unsanitized id GET parameter in ajax/mobile_main.php. The flaw permits arbitrary read, modification, or destruction of database contents, and is part of a broader batch of 19 SQL injection fixes shipped in v3.44.2. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all Open ISES Tickets installations and document current versions. Within 7 days: Upgrade all instances to version 3.44.2 or later, testing in a staging environment prior to production deployment. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-48238 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy