Open ISES Tickets: 25 CVEs Disclosed — SQLi, Hardcoded Credentials, and TLS Verification Flaws
A batch of 25 vulnerabilities in Open ISES Tickets (Tickets) was disclosed on May 21, 2026, spanning SQL injection, hardcoded secrets, TLS bypass, and XSS — all fixed in version 3.44.2.
Key findings
- 11 SQL injection CVEs (High severity, CVSS 7.1–8.2) across AJAX handlers and utility scripts
- 5 hardcoded-secret CVEs including MySQL database credentials (CVSS 8.1) and API keys
- 4 CVEs where TLS certificate verification is disabled in outbound cURL requests
- 5 reflected XSS CVEs allowing authenticated attackers to inject JavaScript
- All 25 vulnerabilities fixed in a single release: version 3.44.2
- Hardcoded MySQL credentials in public source repo may require credential rotation
Twenty-five security vulnerabilities were disclosed together on May 21, 2026, affecting Open ISES Tickets (the "Tickets" help-desk and incident-management application by Openises). The batch spans four distinct bug classes — SQL injection, hardcoded credentials and API keys, disabled TLS certificate verification, and reflected cross-site scripting — all of which are remediated in version 3.44.2. The breadth of the disclosure signals a deep, systemic lack of input sanitization and secret-management discipline across the codebase, putting deployed instances at risk of database compromise, credential theft, and man-in-the-middle interception.
SQL Injection Cluster (11 CVEs)
The largest group in the batch is a set of SQL injection vulnerabilities, most rated High severity (CVSSv3 7.1–8.2). These flaws arise from unsanitized user-supplied parameters being concatenated directly into SQL queries across multiple AJAX handlers and utility scripts.
CVE-2026-48235 (CVSS 8.2) is the most severe of the SQLi group: it affects incs/remotes.inc.php, where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service responses (InstaMapper and Google Latitude integration) are concatenated into UPDATE and INSERT statements without sanitization. An attacker who can control or spoof the GPS feed can inject arbitrary SQL.
Several other SQLi CVEs target authenticated attackers who can manipulate POST or GET parameters to alter query semantics. CVE-2026-48240 and CVE-2026-48239 affect ajax/statistics.php and ajax/reports.php respectively, where tick_id and f_tick_id POST parameters are injected into WHERE clauses. CVE-2026-48238 (ajax/mobile_main.php) and CVE-2026-48237 (message.php) follow the same pattern with id and frm_ticket_id parameters. CVE-2026-48236 in db_loader.php is notable because it allows an authenticated attacker to pass database connection parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) that are concatenated into dynamic SQL against an attacker-controlled database.
Additional SQLi CVEs include CVE-2026-48234 (ORDER BY injection in portal/ajax/list_requests.php), CVE-2026-48233 and CVE-2026-48232 (LIMIT clause injection in ajax/sit_incidents.php and ajax/fullsit_incidents.php), and CVE-2026-48231 (table/column identifier injection in tables.php).
Hardcoded Secrets (5 CVEs)
Three CVEs cover hardcoded API keys embedded in the public source repository. CVE-2026-48245 and CVE-2026-48244 (both CVSS 5.3) disclose a hardcoded Google Maps API key in tables.php and settings.inc.php respectively. CVE-2026-48243 (CVSS 5.3) exposes a WhitePages reverse-phone API key in wp1.php. Any actor with read access to the source tree can extract these keys and use them to make API calls billed against the original owner's accounts.
More critically, CVE-2026-48242 and CVE-2026-48241 (both CVSS 8.1, High severity) expose hardcoded MySQL database connection credentials — host, username, password, and database name — in import_mdb.php and loader.php. Because these files are committed to the public repository, anyone with source access can obtain valid database credentials that may match production deployments.
Disabled TLS Certificate Verification (4 CVEs)
Four Medium-severity CVEs (CVSS 5.9) share an identical root cause: the application disables TLS certificate verification in outbound cURL requests by setting CURLOPT_SSL_VERIFYPEER to false and omitting CURLOPT_SSL_VERIFYHOST. This affects the mobile (RouteMate) login flow (CVE-2026-48249, rm/incs/mobile_login.inc.php), the standard login flow (CVE-2026-48248, incs/login.inc.php), general-purpose outbound HTTPS requests (CVE-2026-48247, incs/functions.inc.php), and Google Maps Directions API lookups during incident report generation (CVE-2026-48246, ajax/reports.php). An attacker positioned on the network path can trivially perform man-in-the-middle attacks against these connections.
Reflected Cross-Site Scripting (5 CVEs)
Five Medium-severity CVEs (CVSS 5.4) cover reflected XSS vulnerabilities that allow authenticated attackers to inject arbitrary JavaScript. The affected files are ticketsmdb_import.php (CVE-2026-48230), routes_i.php (CVE-2026-48229), patient_w.php (CVE-2026-48228), patient.php (CVE-2026-48227), os_watch.php (CVE-2026-48226), and landb.php (CVE-2026-48225). In each case, unsanitized GET or POST parameter values are reflected directly into HTML form attributes or hidden input values, enabling crafted malicious links to execute script in the context of the victim's session.
Patch and Mitigation
All 25 CVEs are addressed in Open ISES Tickets version 3.44.2. Users running any earlier version should upgrade immediately. No workarounds or partial mitigations have been published by the vendor for individual CVEs; the single version bump covers the entire batch. Given the presence of hardcoded database credentials in the public repository, organizations should also rotate any MySQL credentials that match those found in import_mdb.php or loader.php and regenerate any exposed Google Maps or WhitePages API keys.
Why This Batch Matters
The sheer density of vulnerabilities — 25 CVEs across four unrelated bug classes in a single disclosure — points to a codebase that lacked fundamental security practices: no input sanitization, no TLS verification, and secrets committed to version control. For organizations running Open ISES Tickets for incident management or help-desk operations, the upgrade to 3.44.2 is urgent. The SQL injection and hardcoded credential CVEs in particular could lead to full database compromise, while the TLS bypass flaws expose all outbound authentication traffic to interception.