Open ISES Tickets SQL Injection (CVE-2026-48239) Allows Database Manipulation

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-89
Open ISES Tickets SQL Injection (CVE-2026-48239) Allows Database Manipulation

A high-severity SQL injection vulnerability, tracked as CVE-2026-48239, has been identified in Open ISES Tickets versions prior to 3.44.2. According to the National Vulnerability Database, this flaw exists in the ajax/reports.php component, specifically where the tick_id POST parameter is incorporated into the WHERE clause of SELECT statements within the incidents summary report without proper sanitization.

This critical oversight enables authenticated attackers to craft malicious requests that can alter query semantics. The National Vulnerability Database indicates that successful exploitation grants attackers the ability to read, modify, or even destroy database contents. With a CVSS score of 7.1 (High), the vulnerability presents a significant risk, particularly given its network attack vector and low privileges required for exploitation.

Defenders leveraging Open ISES Tickets must prioritize patching to version 3.44.2 or later immediately. Organizations should also review incident summary report access permissions and monitor database logs for any anomalous activity that might indicate attempted or successful exploitation. The attacker’s calculus here is straightforward: leverage a common web vulnerability to gain control over critical data with minimal effort, given an authenticated session.

What This Means For You

  • If your organization uses Open ISES Tickets, you must verify your version immediately. Patch to 3.44.2 or higher without delay to mitigate CVE-2026-48239. Audit access logs for `ajax/reports.php` and database activity for any signs of unauthorized data access or modification.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component Initial Access T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-48239 - Open ISES Tickets SQL Injection via ajax/reports.php

Sigma YAML — free preview 
title: CVE-2026-48239 - Open ISES Tickets SQL Injection via ajax/reports.php
id: scw-2026-05-21-ai-1
status: experimental
level: high
description: |
  Detects SQL injection attempts targeting Open ISES Tickets version prior to 3.44.2. The vulnerability exists in ajax/reports.php where the 'tick_id' POST parameter is not sanitized, allowing attackers to manipulate SQL queries. This rule specifically looks for requests to '/ajax/reports.php' with a 'tick_id' parameter containing common SQL injection keywords like 'OR', 'UNION', 'SELECT', and 'FROM'.
author: SCW Feed Engine (AI-generated)
date: 2026-05-21
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-48239/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      uri|contains:
          - '/ajax/reports.php'
      cs-method|exact:
          - 'POST'
      cs-uri-query|contains:
          - 'tick_id='
  selection_payload_indicators:
      cs-uri-query|contains:
          - ' OR '
      cs-uri-query|contains:
          - ' UNION '
      cs-uri-query|contains:
          - ' SELECT '
      cs-uri-query|contains:
          - ' FROM '
  condition: selection AND selection_payload_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-48239 SQLi Open ISES Tickets
CVE-2026-48239 SQLi Open ISES Tickets before 3.44.2
CVE-2026-48239 SQLi ajax/reports.php
CVE-2026-48239 SQLi POST parameter tick_id

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 21, 2026 at 21:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-48247 — Open ISES Tickets before 3.44.2 disables TLS certificate

CVE-2026-48247 — Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound...

vulnerabilityCVEmedium-severitycwe-295
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-48246 — Open ISES Tickets before 3.44.2 disables TLS certificate

CVE-2026-48246 — Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound...

vulnerabilityCVEmedium-severitycwe-295
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs

Open ISES Tickets CVE-2026-48242: Hardcoded MySQL Credentials Exposed

CVE-2026-48242 — Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in...

vulnerabilityCVEhigh-severitycwe-798
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 2 IOCs /⚙ 3 Sigma