Which versions of Open ISES Tickets are affected by EUVD-2026-31327?

Open ISES Tickets before v3.44.2 exposes organizations running this incident management platform to credential theft and data exposure through a TLS verification flaw that enables attackers to…. A patch is available.

How to fix or mitigate EUVD-2026-31327?

Within 24 hours: Identify all systems running Open ISES Tickets and document current versions. Within 7 days: Upgrade all affected installations to v3.44.2. Within 30 days: Rotate all Google Maps API keys associated with affected systems and conduct access log review for unauthorized API calls.

Open ISES Tickets EUVD-2026-31327

Q: What is the CVSS score of EUVD-2026-31327?

EUVD-2026-31327 has a CVSS 4.0 base score of 8.2 (High). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-48246 HIGH

Improper Certificate Validation (CWE-295)

2026-05-21 VulnCheck

GHSA-cm28-j57h-46hg

PHP Information Disclosure Google

8.2

CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 21, 2026 - 18:36 vuln.today

Analysis Generated

May 21, 2026 - 18:36 vuln.today

Severity Changed

May 21, 2026 - 18:22 NVD

MEDIUM HIGH

CVSS changed

May 21, 2026 - 18:22 NVD

5.9 (MEDIUM) 8.2 (HIGH)

DescriptionNVD

Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for Google Maps Directions API lookups during incident report generation. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.

AnalysisAI

TLS certificate verification bypass in Open ISES Tickets before 3.44.2 allows network-positioned attackers to intercept HTTPS traffic between the application server and Google Maps Directions API during incident report generation. The flaw stems from ajax/reports.php explicitly setting CURLOPT_SSL_VERIFYPEER to false without configuring CURLOPT_SSL_VERIFYHOST, exposing Google API keys and any session-bearing data carried in outbound requests. …

RemediationAI

Within 24 hours: Identify all systems running Open ISES Tickets and document current versions. Within 7 days: Upgrade all affected installations to v3.44.2. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory