CVE-2026-48231

Name of the Vulnerable Software and Affected Versions Open ISES Tickets versions prior to 3.44.2

Description An issue exists in the 'tables.php' endpoint where multiple POST parameters, specifically tablename, indexname, and sortby, are concatenated into table or column identifiers within dynamically constructed SELECT, UPDATE, and DELETE statements without proper sanitization. This allows authenticated attackers to manipulate query semantics to read, modify, or delete database contents. SQL injection is a technique where an attacker inserts malicious SQL code into a query, allowing them to interfere with the queries that an application makes to its database.

Recommendations Update to version 3.44.2 or later.