CVE-2026-48235: SQLi in Open ISES Tickets via GPS Data
The National Vulnerability Database has disclosed CVE-2026-48235, a high-severity SQL injection vulnerability (CVSS 8.2) impacting Open ISES Tickets versions prior to 3.44.2. The flaw exists in incs/remotes.inc.php, where latitude, longitude, callsign, mph, altitude, and timestamp values, parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration), are concatenated directly into UPDATE and INSERT statements without adequate sanitization.
This is a classic SQLi scenario. An attacker who can compromise or impersonate a remote GPS tracker endpoint can inject malicious SQL. This allows them to manipulate critical data within the responder location, tracks, and assignment tables. The implications are severe: an adversary could falsify responder locations, erase track histories, or even alter assignment data, leading to operational chaos and potential physical risks in emergency response scenarios.
While specific affected products beyond ‘Open ISES Tickets’ are not detailed by the National Vulnerability Database, organizations utilizing this system, particularly those integrating with InstaMapper or Google Latitude for GPS tracking, are directly exposed. The vulnerability’s high score reflects its network-exploitable nature with no user interaction required, making it a critical concern for any deployed instance.
What This Means For You
- If your organization uses Open ISES Tickets, especially with GPS tracking integrations like InstaMapper or Google Latitude, you need to verify your version immediately. Patch to 3.44.2 or later to mitigate CVE-2026-48235. Without this, an attacker could falsify critical operational data, leading to severe disruptions or misdirection of emergency services.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-48235: SQLi in Open ISES Tickets incs/remotes.inc.php via GPS data
title: CVE-2026-48235: SQLi in Open ISES Tickets incs/remotes.inc.php via GPS data
id: scw-2026-05-21-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-48235 by observing requests to 'incs/remotes.inc.php' containing GPS data parameters. This vulnerability allows SQL injection due to unsanitized input from external GPS tracking services, enabling attackers to manipulate responder location, tracks, and assignment tables.
author: SCW Feed Engine (AI-generated)
date: 2026-05-21
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-48235/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/incs/remotes.inc.php'
cs-uri-query|contains:
- 'latitude='
- 'longitude='
- 'callsign='
- 'mph='
- 'altitude='
- 'timestamp='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-48235 | SQLi | Open ISES Tickets |
| CVE-2026-48235 | SQLi | Open ISES Tickets before 3.44.2 |
| CVE-2026-48235 | SQLi | incs/remotes.inc.php |
| CVE-2026-48235 | SQLi | Parameters: latitude, longitude, callsign, mph, altitude, timestamp |
| CVE-2026-48235 | SQLi | Integration with InstaMapper and Google Latitude |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 21, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-48247 — Open ISES Tickets before 3.44.2 disables TLS certificate
CVE-2026-48247 — Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound...
CVE-2026-48246 — Open ISES Tickets before 3.44.2 disables TLS certificate
CVE-2026-48246 — Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound...
Open ISES Tickets CVE-2026-48242: Hardcoded MySQL Credentials Exposed
CVE-2026-48242 — Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in...