CVE-2026-48246

Name of the Vulnerable Software and Affected Versions Open ISES Tickets versions prior to 3.44.2

Description The software disables TLS certificate verification when issuing outbound HTTPS requests for Google Maps Directions API lookups during incident report generation. This occurs in the 'ajax/reports.php' endpoint by setting the CURLOPT SSL VERIFYPEER variable to false and failing to set CURLOPT SSL VERIFYHOST. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including API keys or session-bearing data in transit.

Recommendations Update to version 3.44.2 or later.