Open ISES Tickets: Eight Unauthenticated High-Severity Bugs Disclosed in a Single Batch
Eight unauthenticated high-severity vulnerabilities — seven SQL injections and one path-traversal — were disclosed together in Open ISES Tickets 3.30A, exposing ticketing servers to database theft and file exfiltration.
Key findings
- Seven unauthenticated SQL injection flaws disclosed in Open ISES Tickets 3.30A
- One unauthenticated path-traversal bug (CVE-2018-25408) allows arbitrary file download
- All eight CVEs are high severity (CVSSv3 7.5–8.2) and require no authentication
- SQLi endpoints include city_graph.php, add_facnote.php, nearby.php, and main.php
- No official patch released yet; WAF rules are the recommended mitigation
- Chaining SQLi with the path-traversal bug could lead to full server compromise
On 29–30 May 2026, eight high-severity vulnerabilities were disclosed together in Open ISES Tickets (the Open ISES Project version 3.30A), a help-desk and ticketing application. The batch comprises seven unauthenticated SQL injection flaws and one unauthenticated path-traversal bug, all carrying CVSSv3 scores of 7.5 or 8.2. Because the application is widely deployed in IT service-management environments, the disclosure signals a significant risk: an attacker who chains even a single SQLi can extract the full database, and the path-traversal bug provides a complementary file-read capability.
Seven of the eight CVEs are SQL injection vulnerabilities, each reachable without authentication and exploitable via GET or POST requests. The largest cluster targets the p1 parameter across three different graphing endpoints: city_graph.php (CVE-2018-25403), inc_types_graph.php (CVE-2018-25402), and sever_graph.php (CVE-2018-25401). A fourth SQLi resides in the ticket_id parameter of add_facnote.php (CVE-2018-25404), while a fifth is in the id parameter of ajax/form_post.php (CVE-2018-25400). Two more SQLi flaws affect nearby.php via the tick_lat and tick_lng parameters (CVE-2018-25399) and main.php via the frm_passwd parameter (CVE-2018-25398). All seven allow an unauthenticated attacker to execute arbitrary SQL queries, potentially exfiltrating user credentials, ticket data, and internal configuration.
The eighth CVE, CVE-2018-25408 (CVSSv3 7.5), is a path-traversal vulnerability in ajax/download.php. By supplying directory-traversal sequences (../) in the filename parameter, an unauthenticated attacker can download arbitrary files from the server. When combined with any of the SQL injection flaws, this bug gives an attacker both database access and the ability to read sensitive local files such as application configuration or system secrets.
No public reports of active exploitation in the wild have been published as of the disclosure date. However, the attack surface is broad: all eight vulnerabilities are pre-authentication, require no special headers or tokens, and are reachable through default Open ISES Tickets installations. The vendor, Openises, has not yet released a patched version; users of version 3.30A are advised to apply web-application firewall (WAF) rules that block SQL injection patterns and directory-traversal sequences in the affected parameters until an official update is available.
The disclosure of eight unauthenticated, high-severity bugs in a single batch underscores the importance of input validation in PHP-based ticketing systems. Open ISES Tickets administrators should treat this as a priority event: the combination of SQLi and path-traversal means a single unpatched instance can lead to full server compromise. The community will be watching for a 3.30B or 3.31 release that addresses these flaws across the board.