CVE-2026-48239

HIGH

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/reports.php where the tick_id POST parameter is concatenated into the WHERE clause of SELECT statements in the incidents summary report without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.

CVSS v3.1 Score

7.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

NETWORK

Complexity

LOW

Privileges

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

NONE

Published: 5/21/2026Modified: 5/21/2026

Related Intelligence (0)

No articles currently reference this CVE.

References (3)

https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://github.com/openises/tickets/releases/tag/v3.44.2 https://www.vulncheck.com/advisories/open-ises-tickets-sql-injection-via-ajax-reports-php-tick-id-parameter