Enhancesoft · Osticket · CVE-2026-9507
**Name of the Vulnerable Software and Affected Versions**
osTicket version 1.18.2
**Description**
A session fixation flaw allows an attacker to hijack a user account by ensuring the initial session identifier `OSTSESSID` remains active after a successful login. The application fails to invalidate the pre-authentication cookie or generate a new identifier for the authenticated context. Consequently, if an attacker sets a known session identifier in a victim's browser, they can maintain unauthorized access once the victim authenticates.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.