Open ISES Tickets SQL Injection (CVE-2026-48236) Exposes Databases

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-89
Open ISES Tickets SQL Injection (CVE-2026-48236) Exposes Databases

The National Vulnerability Database has detailed CVE-2026-48236, a high-severity SQL injection vulnerability affecting Open ISES Tickets before version 3.44.2. The flaw resides in db_loader.php, where multiple POST parameters—ticketsdb, ticketshost, ticketsuser, and ticketspassword—are directly concatenated into mysqli connection arguments. This lack of sanitization allows authenticated attackers to manipulate these parameters.

Attackers can craft malicious requests that alter SQL query semantics, effectively executing arbitrary SQL commands against an attacker-controlled database. This grants them the ability to read, modify, or destroy database contents, leading to significant data compromise. The National Vulnerability Database assigns this a CVSSv3.1 score of 7.1 (HIGH), with a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, highlighting the high impact on confidentiality.

While specific affected products beyond ‘Open ISES Tickets’ are not detailed by the National Vulnerability Database, organizations using this software are at direct risk. This vulnerability is a classic CWE-89 SQL injection, a perennial problem that continues to plague applications. The attacker’s calculus here is straightforward: leverage authenticated access to pivot from application control to database control, extracting or corrupting critical data.

What This Means For You

  • If your organization uses Open ISES Tickets, you must immediately verify your version. Patch to 3.44.2 or later without delay to mitigate CVE-2026-48236. Audit logs for any anomalous database activity, especially around `db_loader.php` interactions or unusual SQL errors, which could indicate attempted exploitation.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component: Database Components Initial Access T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-48236 - Open ISES Tickets SQL Injection via db_loader.php

Sigma YAML — free preview 
title: CVE-2026-48236 - Open ISES Tickets SQL Injection via db_loader.php
id: scw-2026-05-21-ai-1
status: experimental
level: critical
description: |
  Detects the specific SQL injection vulnerability in Open ISES Tickets (CVE-2026-48236) by looking for POST requests to db_loader.php containing the vulnerable parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword). This indicates an attempt to exploit the SQL injection flaw to access or manipulate the database.
author: SCW Feed Engine (AI-generated)
date: 2026-05-21
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-48236/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      uri|contains:
          - '/db_loader.php'
      cs-method|exact:
          - 'POST'
      cs-uri-query|contains:
          - 'ticketsdb='
          - 'ticketshost='
          - 'ticketsuser='
          - 'ticketspassword='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-48236 SQLi Open ISES Tickets before 3.44.2
CVE-2026-48236 SQLi db_loader.php
CVE-2026-48236 SQLi POST parameters: ticketsdb, ticketshost, ticketsuser, ticketspassword

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 21, 2026 at 21:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-48247 — Open ISES Tickets before 3.44.2 disables TLS certificate

CVE-2026-48247 — Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound...

vulnerabilityCVEmedium-severitycwe-295
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-48246 — Open ISES Tickets before 3.44.2 disables TLS certificate

CVE-2026-48246 — Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound...

vulnerabilityCVEmedium-severitycwe-295
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs

Open ISES Tickets CVE-2026-48242: Hardcoded MySQL Credentials Exposed

CVE-2026-48242 — Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in...

vulnerabilityCVEhigh-severitycwe-798
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 2 IOCs /⚙ 3 Sigma