Skip to main content

Open ISES Tickets EUVD-2026-31315

| CVE-2026-48235 HIGH
SQL Injection (CWE-89)
2026-05-21 VulnCheck GHSA-3r6v-wcmw-ghxc
PHP SQLi Google
8.8
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 21, 2026 - 18:34 vuln.today
Analysis Generated
May 21, 2026 - 18:34 vuln.today
CVSS changed
May 21, 2026 - 18:22 NVD
8.2 (HIGH) 8.8 (HIGH)

DescriptionNVD

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are concatenated into UPDATE and INSERT statements without sanitization. An attacker able to compromise or impersonate the remote GPS tracker endpoint can inject SQL to manipulate the responder location, tracks, and assignment tables.

AnalysisAI

SQL injection in Open ISES Tickets before 3.44.2 allows attackers controlling or impersonating an InstaMapper or Google Latitude GPS tracking endpoint to inject malicious SQL via unsanitized latitude, longitude, callsign, mph, altitude, and timestamp values parsed by incs/remotes.inc.php. The CVSS 4.0 base score of 8.8 reflects unauthenticated network exploitation with high confidentiality impact, and no public exploit is identified at time of analysis. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory all Open ISES Tickets deployments and verify which are running versions before 3.44.2; isolate or restrict network access if assessment cannot be completed immediately. Within 7 days: Upgrade all affected instances to v3.44.2. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-44739 HIGH
8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config
CVE-2026-8842 MEDIUM
6.4 May 27

Stored Cross-Site Scripting in the Google+ Link Name WordPress plugin (versions up to and including 1.0) allows authenti
CVE-2025-68712 MEDIUM
5.5 May 27

Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circum
CVE-2026-7552 MEDIUM
5.3 May 28

Authorization bypass in the Geo Mashup WordPress plugin (all versions ≤ 1.13.19) exposes sensitive plugin configuration

CVE-2025-68709 MEDIUM
5.2 May 26

Arbitrary JavaScript execution in SailingLab AppLock 4.3.8 for Android is triggered by a malicious co-installed app send

Share

EUVD-2026-31315 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy