HIGHCVE-2026-48248Published 2026-05-21Modified 2026-05-26CNA VulnCheck

CVE-2026-48248: Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in incs/login.inc.php

Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests issued during the login/authentication flow. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.

CVSS v4.0: 8.2
Severity: HIGH
Fixed in: 3.44.2
Affected Products: 1

Fix available

3.44.2

Patch commits

github.com

Affected packages

Open ISES / Tickets
< 3.44.2 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

github.com
github.com
vulncheck.com

Metrics

Fix available