Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in search.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_query POST parameter directly into an HTML input field VALUE attribute. Attackers can craft a malicious request containing a JavaScript payload in the frm_query parameter that executes in the victim's browser when submitted.
AnalysisAI
Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows attackers to inject arbitrary JavaScript into victim browsers via the unsanitized frm_query POST parameter in search.php, which is echoed verbatim into an HTML input VALUE attribute. The CVSS 4.0 score of 5.1 (Medium) reflects a required active user interaction step (UI:A) that limits opportunistic exploitation - a victim must be induced to submit a crafted request. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, a vendor-released patch (v3.44.2) is available and should be applied immediately, as it simultaneously addresses 88 security vulnerabilities - including 68 additional XSS flaws across 22 files - indicating systemic insecurity in all prior versions.
Technical ContextAI
Open ISES Tickets is a PHP-based helpdesk and ticketing application (CPE: cpe:2.3:a:openises:tickets:*:*:*:*:*:*:*:*). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), a class of output-encoding failure where user-controlled data travels from an HTTP request into HTML markup without sanitization or context-aware escaping. Specifically, search.php takes the frm_query POST parameter and renders it directly into the VALUE attribute of an HTML input element, allowing a payload such as "><script>...</script> or an attribute-breaking sequence to execute as JavaScript. Because the injection is POST-based and reflected (returned in the immediate response rather than persisted to a database), exploitation requires browser delivery of the malicious request - typically via a cross-site form submission or social engineering. The v3.44.2 release notes confirm that 69 XSS vulnerabilities were patched across 22 PHP files simultaneously, demonstrating that lack of output encoding was a codebase-wide pattern rather than an isolated defect.
RemediationAI
Upgrade to Open ISES Tickets v3.44.2 immediately; the vendor classifies this as a Critical Security Update and the release resolves 88 security vulnerabilities across the codebase, making upgrade the only fully effective remediation. Docker deployments should run docker compose pull && docker compose up -d. Traditional deployments should download the v3.44.2 zip from https://github.com/openises/tickets/releases/tag/v3.44.2, extract it over the existing installation, and run the built-in installer in Upgrade mode - the release notes confirm the upgrade path works from any prior version. The specific fix commit is available at https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff for reference. If immediate upgrade is operationally blocked, restrict access to search.php via web server IP allowlisting to limit the exposed attack surface - note this disables search functionality for all users. A WAF rule targeting script-injection patterns in the frm_query POST body parameter can provide interim coverage, but WAF bypasses for reflected XSS are common and this should not be treated as a permanent control.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31187
GHSA-x262-4wj6-jf4j