HIGHCVE-2026-48239Published Modified CNA VulnCheck
CVE-2026-48239: Open ISES Tickets < 3.44.2 SQL Injection via ajax/reports.php tick_id Parameter
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/reports.php where the tick_id POST parameter is concatenated into the WHERE clause of SELECT statements in the incidents summary report without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.
Metrics
- CVSS v4.0
- 7.1
- Severity
- HIGH
- Fixed in
- 3.44.2
- Affected Products
- 1
Affected packages
- Open ISES / Tickets< 3.44.2 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:NReferences