CVE-2026-48249

Name of the Vulnerable Software and Affected Versions Open ISES Tickets versions prior to 3.44.2

Description The software disables TLS certificate verification when issuing outbound HTTPS requests during the mobile (RouteMate) login flow. This occurs in the file 'rm/incs/mobile login.inc.php' by setting the CURLOPT SSL VERIFYPEER variable to false and failing to set CURLOPT SSL VERIFYHOST. A network attacker positioned between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify requests and responses, including session-bearing data or API keys.

Recommendations Update to version 3.44.2.