Open ISES Tickets SQLi: Authenticated Attackers Can Corrupt Databases
The National Vulnerability Database has disclosed CVE-2026-48238, a high-severity SQL injection vulnerability affecting Open ISES Tickets versions prior to 3.44.2. This flaw exists in the ajax/mobile_main.php component, where the id GET parameter is unsafely concatenated into a SELECT statement’s WHERE clause. This lack of sanitization creates a critical attack vector.
Authenticated attackers can exploit this vulnerability to manipulate query semantics, enabling them to read, modify, or destroy database contents. With a CVSS score of 7.1 (High), the impact on confidentiality is significant, with potential for data exfiltration and integrity compromise. The attack complexity is low, making it a straightforward exploit for those with valid credentials.
Defenders must prioritize patching Open ISES Tickets instances to version 3.44.2 or later immediately. Given the authenticated nature of the exploit, robust access control and monitoring for unusual database activity are also crucial. Assume any unpatched system is already compromised if an attacker gains even low-privilege access.
What This Means For You
- If your organization uses Open ISES Tickets, verify your version immediately. Patch to 3.44.2 or higher without delay. Audit logs for `ajax/mobile_main.php` for any suspicious GET requests with unusual `id` parameters, especially from authenticated but potentially compromised accounts. This is a direct path to database compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-48238 - Open ISES Tickets SQL Injection via mobile_main.php
title: CVE-2026-48238 - Open ISES Tickets SQL Injection via mobile_main.php
id: scw-2026-05-21-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-48238 by targeting the ajax/mobile_main.php script with a GET parameter named 'id'. This SQL injection vulnerability allows authenticated attackers to corrupt database contents.
author: SCW Feed Engine (AI-generated)
date: 2026-05-21
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-48238/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/ajax/mobile_main.php'
cs-uri-query|contains:
- 'id='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-48238 | SQLi | Open ISES Tickets before 3.44.2 |
| CVE-2026-48238 | SQLi | ajax/mobile_main.php |
| CVE-2026-48238 | SQLi | GET parameter 'id' |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 21, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-48247 — Open ISES Tickets before 3.44.2 disables TLS certificate
CVE-2026-48247 — Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound...
CVE-2026-48246 — Open ISES Tickets before 3.44.2 disables TLS certificate
CVE-2026-48246 — Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound...
Open ISES Tickets CVE-2026-48242: Hardcoded MySQL Credentials Exposed
CVE-2026-48242 — Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in...