CVE-2026-48213

Name of the Vulnerable Software and Affected Versions Open ISES Tickets versions prior to 3.44.2

Description A reflected cross-site scripting issue exists in the 'add.php' endpoint. Authenticated attackers can inject arbitrary JavaScript by providing an unsanitized value through the ticket id POST parameter, which is then placed directly into an HTML form input value attribute. This allows a malicious request to execute a JavaScript payload in the victim's browser when the response is rendered.

Recommendations Update to version 3.44.2 or later. As a temporary workaround, restrict access to the 'add.php' endpoint or avoid using the ticket id parameter until the update is applied.