Which versions of Open ISES Tickets are affected by EUVD-2026-31329?

Open ISES Tickets versions before 3.44.2 contain a TLS certificate verification flaw in the RouteMate mobile login flow that allows network-positioned attackers to intercept login traffic and steal…. A patch is available.

Open ISES Tickets EUVD-2026-31329

Q: What is the CVSS score of EUVD-2026-31329?

EUVD-2026-31329 has a CVSS 4.0 base score of 8.2 (High). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-48249 HIGH

Improper Certificate Validation (CWE-295)

2026-05-21 VulnCheck

GHSA-x9qr-969f-24wr

PHP Information Disclosure

8.2

CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 21, 2026 - 18:36 vuln.today

Analysis Generated

May 21, 2026 - 18:36 vuln.today

Severity Changed

May 21, 2026 - 18:22 NVD

MEDIUM HIGH

CVSS changed

May 21, 2026 - 18:22 NVD

5.9 (MEDIUM) 8.2 (HIGH)

DescriptionNVD

Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for outbound HTTPS requests issued during the mobile (RouteMate) login flow. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.

AnalysisAI

Missing TLS certificate verification in Open ISES Tickets before 3.44.2 allows network-positioned attackers to intercept and tamper with outbound HTTPS traffic from the mobile (RouteMate) login flow, exposing API keys and session-bearing data. The flaw stems from rm/incs/mobile_login.inc.php disabling CURLOPT_SSL_VERIFYPEER and omitting CURLOPT_SSL_VERIFYHOST. …

RemediationAI

Within 24 hours: Identify all systems running Open ISES Tickets versions before 3.44.2 and review network logs for evidence of TLS interception during the vulnerability period. Within 7 days: Upgrade all affected systems to Open ISES Tickets v3.44.2 and revoke API keys issued to accounts with active mobile login sessions. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-31329 vulnerability details – vuln.today

Back

Open ISES Tickets EUVD-2026-31329

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Open ISES Tickets EUVD-2026-31329

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code