Open ISES Tickets SQLi: Authenticated Attackers Can Destroy Database Content
The National Vulnerability Database has disclosed CVE-2026-48240, a high-severity SQL injection vulnerability in Open ISES Tickets versions prior to 3.44.2. This flaw resides in the ajax/statistics.php component, specifically where the tick_id and f_tick_id POST parameters are unsanitized before being concatenated into WHERE clauses of SELECT statements within statistics rollup queries.
This isn’t just a data leak risk. Authenticated attackers can exploit this vulnerability to craft malicious requests that fundamentally alter query semantics. The National Vulnerability Database confirms this allows them to read, modify, or even destroy the contents of the underlying database. A CVSS score of 7.1 (HIGH) underscores the significant impact on confidentiality and integrity.
For defenders, this means any organization using affected Open ISES Tickets versions is exposed to critical data compromise or destruction. The attacker only needs authenticated access, which broadens the threat surface considerably. This isn’t some complex zero-day; it’s a classic SQLi that, if exploited, can be catastrophic.
What This Means For You
- If your organization uses Open ISES Tickets, verify your version immediately. Patch to 3.44.2 or later without delay. Prioritize this, as authenticated attackers can wipe your data. Audit logs for any anomalous activity in `ajax/statistics.php` post-patch, especially if you have known or suspected compromised accounts.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-48240 - Open ISES Tickets SQL Injection in statistics.php
title: CVE-2026-48240 - Open ISES Tickets SQL Injection in statistics.php
id: scw-2026-05-21-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-48240 by identifying POST requests to ajax/statistics.php containing 'tick_id' and 'f_tick_id' parameters with SQL injection payloads indicative of data manipulation or destruction (e.g., UNION, SELECT, DROP, DELETE, UPDATE).
author: SCW Feed Engine (AI-generated)
date: 2026-05-21
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-48240/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
uri|endswith:
- '/ajax/statistics.php'
cs-method|exact:
- 'POST'
cs-uri-query|contains:
- 'tick_id'
- 'f_tick_id'
cs-uri-query|contains:
- 'UNION'
cs-uri-query|contains:
- 'SELECT'
cs-uri-query|contains:
- 'DROP'
cs-uri-query|contains:
- 'DELETE'
cs-uri-query|contains:
- 'UPDATE'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-48240 | SQLi | Open ISES Tickets < 3.44.2 |
| CVE-2026-48240 | SQLi | ajax/statistics.php |
| CVE-2026-48240 | SQLi | POST parameter: tick_id |
| CVE-2026-48240 | SQLi | POST parameter: f_tick_id |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 21, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-48247 — Open ISES Tickets before 3.44.2 disables TLS certificate
CVE-2026-48247 — Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound...
CVE-2026-48246 — Open ISES Tickets before 3.44.2 disables TLS certificate
CVE-2026-48246 — Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound...
Open ISES Tickets CVE-2026-48242: Hardcoded MySQL Credentials Exposed
CVE-2026-48242 — Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in...