Open ISES Tickets SQLi: Authenticated Attackers Can Destroy Database

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-89
Open ISES Tickets SQLi: Authenticated Attackers Can Destroy Database

The National Vulnerability Database (NVD) reports a critical SQL injection vulnerability, CVE-2026-48237, in Open ISES Tickets versions prior to 3.44.2. This flaw exists in message.php, where the frm_ticket_id and frm_resp_id POST parameters are concatenated directly into SQL WHERE clauses without proper sanitization. This is a classic SQLi scenario.

Authenticated attackers can exploit this vulnerability to manipulate query semantics, enabling them to read, modify, or even destroy database contents. While requiring authentication, the impact is severe, warranting a CVSS score of 7.1 (HIGH). The NVD highlights the potential for complete data compromise (C:H) and partial integrity compromise (I:L), with no user interaction required once authenticated.

Organizations utilizing Open ISES Tickets must prioritize patching to version 3.44.2 or higher immediately. This isn’t theoretical; SQL injection remains a top attack vector, often leading to full system compromise. Leaving this unpatched is an open invitation for an insider threat or a compromised account to wreak havoc on your data.

What This Means For You

  • If your organization uses Open ISES Tickets, you need to check your version immediately. Patch to 3.44.2 or later to mitigate CVE-2026-48237. This is a high-severity SQL injection that allows authenticated attackers to manipulate or destroy your database. Don't wait for an incident.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component Initial Access T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-48237 - Open ISES Tickets SQL Injection in message.php

Sigma YAML — free preview 
title: CVE-2026-48237 - Open ISES Tickets SQL Injection in message.php
id: scw-2026-05-21-ai-1
status: experimental
level: critical
description: |
  Detects SQL injection attempts targeting Open ISES Tickets versions prior to 3.44.2. The vulnerability exists in message.php where the 'frm_ticket_id' and 'frm_resp_id' POST parameters are vulnerable to injection. This rule looks for requests to '/message.php' with POST method that contain these parameters along with common SQL injection keywords like 'OR', 'UNION SELECT', and 'AND'.
author: SCW Feed Engine (AI-generated)
date: 2026-05-21
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-48237/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/message.php'
      cs-method|exact:
          - 'POST'
      selection_base:
          cs-uri-query|contains:
              - 'frm_ticket_id='
              - 'frm_resp_id='
      selection_indicators:
          cs-uri-query|contains:
              - "' OR "
              - "' UNION SELECT "
              - "' AND "
      condition: selection_base AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-48237 SQLi Open ISES Tickets before 3.44.2
CVE-2026-48237 SQLi message.php
CVE-2026-48237 SQLi POST parameter frm_ticket_id
CVE-2026-48237 SQLi POST parameter frm_resp_id

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 21, 2026 at 21:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-48247 — Open ISES Tickets before 3.44.2 disables TLS certificate

CVE-2026-48247 — Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound...

vulnerabilityCVEmedium-severitycwe-295
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-48246 — Open ISES Tickets before 3.44.2 disables TLS certificate

CVE-2026-48246 — Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound...

vulnerabilityCVEmedium-severitycwe-295
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs

Open ISES Tickets CVE-2026-48242: Hardcoded MySQL Credentials Exposed

CVE-2026-48242 — Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in...

vulnerabilityCVEhigh-severitycwe-798
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 2 IOCs /⚙ 3 Sigma