Which versions of Open ISES Tickets are affected by EUVD-2026-31311?

Open ISES Tickets versions prior to 3.44.2 contain a SQL injection vulnerability that allows authenticated users to directly manipulate database contents through unsanitized parameters in the…. A patch is available.

How to fix or mitigate EUVD-2026-31311?

Within 24 hours: inventory all Open ISES Tickets deployments and confirm current version. Within 7 days: upgrade all instances to version 3.44.2 or later. Within 30 days: review audit logs for suspicious database operations in the tables.php module and verify no unauthorized data changes occurred post-deployment.

Open ISES Tickets EUVD-2026-31311

Q: What is the CVSS score of EUVD-2026-31311?

EUVD-2026-31311 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-48231 HIGH

SQL Injection (CWE-89)

2026-05-21 VulnCheck

GHSA-jh65-7v5m-mh3v

PHP SQLi

7.1

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 21, 2026 - 18:32 vuln.today

Analysis Generated

May 21, 2026 - 18:32 vuln.today

DescriptionNVD

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in tables.php where the multiple POST parameters (tablename, indexname, sortby) are concatenated into table/column identifiers in dynamically constructed SELECT/UPDATE/DELETE statements without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.

AnalysisAI

SQL injection in Open ISES Tickets prior to 3.44.2 lets authenticated users tamper with database contents by abusing unsanitized POST parameters (tablename, indexname, sortby) in tables.php that are concatenated directly into SELECT, UPDATE, and DELETE identifier positions. The flaw is one of 19 SQLi issues fixed in the v3.44.2 release; no public exploit identified at time of analysis, but the vendor labels the release a Critical Security Update and urges immediate upgrade.

RemediationAI

Within 24 hours: inventory all Open ISES Tickets deployments and confirm current version. Within 7 days: upgrade all instances to version 3.44.2 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-31311 vulnerability details – vuln.today

Back

Open ISES Tickets EUVD-2026-31311

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Open ISES Tickets EUVD-2026-31311

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code