CVE-2026-35013

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in street view.php that allows authenticated attackers to inject arbitrary JavaScript by passing unsanitized values through the thelat and thelng GET parameters directly into JavaScript variable assignments. Attackers can craft a malicious URL containing a JavaScript payload in either parameter that executes in the victim's browser when the URL is visited.