CVE-2026-48239
7.1 HIGHOpen ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/reports.php where the tick_id POST parameter is concatenat...
Published: 2026-05-21 · Last updated: 2026-05-21
Severity and scoring
- CVSS
- 7.1 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
- CWE
- CWE-89
Description
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/reports.php where the tick_id POST parameter is concatenated into the WHERE clause of SELECT statements in the incidents summary report without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-48239
- [Other]https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff
- [Other]https://github.com/openises/tickets/releases/tag/v3.44.2
- [Other]https://www.vulncheck.com/advisories/open-ises-tickets-sql-injection-via-ajax-reports-php-tick-id-parameter
Related CVEs
Same CWE
- CVE-2026-52715 — Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions (9.3 CRITICAL)
- CVE-2026-52712 — Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions (7.6 HIGH)
- CVE-2026-49772 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events C... (9.3 CRITICAL)
- CVE-2026-39581 — Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions (8.5 HIGH)
- CVE-2026-39574 — Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions (9.3 CRITICAL)