Which versions of Open ISES Tickets are affected by CVE-2026-48247?

Open ISES Tickets versions prior to 3.44.2 expose sensitive credentials like API keys and session data to network-based interception, directly threatening integrated system security and user account…. A patch is available.

Open ISES Tickets CVE-2026-48247

Q: What is the CVSS score of CVE-2026-48247?

CVE-2026-48247 has a CVSS 4.0 base score of 8.2 (High). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-31326 HIGH

Improper Certificate Validation (CWE-295)

2026-05-21 VulnCheck

GHSA-24vx-5h6h-8q7m

PHP Information Disclosure

8.2

CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 21, 2026 - 18:33 vuln.today

Analysis Generated

May 21, 2026 - 18:33 vuln.today

Severity Changed

May 21, 2026 - 18:22 NVD

MEDIUM HIGH

CVSS changed

May 21, 2026 - 18:22 NVD

5.9 (MEDIUM) 8.2 (HIGH)

DescriptionNVD

Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for general-purpose outbound HTTPS requests issued by the shared helper functions. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.

AnalysisAI

Man-in-the-middle exposure in Open ISES Tickets before 3.44.2 stems from the shared helper functions in incs/functions.inc.php disabling TLS certificate verification (CURLOPT_SSL_VERIFYPEER=false) on outbound HTTPS calls, letting network-positioned attackers intercept or modify traffic carrying API keys and session data. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the vendor's v3.44.2 release notes describe it as a critical security update that also bundles fixes for 88 other issues including XSS and SQL injection.

RemediationAI

24 hours: Identify and document all Open ISES Tickets instances and current versions in your environment. 7 days: Deploy vendor patch to upgrade all instances to v3.44.2, beginning with non-production systems to validate compatibility. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-48247 vulnerability details – vuln.today

Back

Open ISES Tickets CVE-2026-48247

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Open ISES Tickets CVE-2026-48247

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code