CVE-2026-22200

Name of the Vulnerable Software and Affected Versions osTicket versions 1.17.x prior to 1.17.7 and 1.18.x prior to 1.18.3

Description osTicket versions 1.17.x prior to 1.17.7 and 1.18.x prior to 1.18.3 contain an arbitrary file read issue in the ticket PDF export functionality. An attacker can submit a ticket with crafted rich-text HTML containing PHP filter expressions that are not properly sanitized before being processed by the mPDF PDF generator during export. Exporting the ticket to PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, potentially disclosing sensitive local files within the context of the osTicket application user. This is exploitable in default configurations where guests can create tickets and access ticket status, or where self-registration is enabled. The issue allows for the reading of arbitrary server files, including sensitive configuration data such as database credentials and secret key material.

Recommendations Update to osTicket version 1.17.7 or later. Update to osTicket version 1.18.3 or later.