CVE-2025-26241

Name of the Vulnerable Software and Affected Versions osTicket versions 1.17.5 and earlier

Description A SQL injection issue exists in the Search functionality of the tickets.php page, allowing authenticated attackers to execute arbitrary SQL commands. This is achieved via a combination of the keywords and topic id URL parameters.

Recommendations For osTicket versions 1.17.5 and earlier, consider restricting access to the tickets.php page until a patch is available. As a temporary workaround, avoid using the keywords and topic id parameters in combination in the affected API endpoint. At the moment, there is no information about a newer version that contains a fix for this vulnerability.