VYPR

Tickets

by Openises

Source repositories

CVEs (47)

  • CVE-2026-48242HigMay 21, 2026
    risk 0.46cvss 8.1epss 0.00

    Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid…

  • CVE-2026-48241HigMay 21, 2026
    risk 0.46cvss 8.1epss 0.00

    Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php (a public-facing database utility) that are committed to the source repository. Any actor with access to the public source tree (or an unauthenticated attacker with read access to the…

  • CVE-2026-48235HigMay 21, 2026
    risk 0.46cvss 8.2epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are…

  • CVE-2026-48240HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/statistics.php where the tick_id and f_tick_id POST parameters are concatenated into WHERE clauses of SELECT statements in the statistics rollup queries without sanitization. Authenticated attackers…

  • CVE-2026-48239HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/reports.php where the tick_id POST parameter is concatenated into the WHERE clause of SELECT statements in the incidents summary report without sanitization. Authenticated attackers can craft requests…

  • CVE-2026-48238HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/mobile_main.php where the id GET parameter is concatenated into the WHERE clause of a SELECT statement used as a ticket-existence sanity check without sanitization. Authenticated attackers can craft…

  • CVE-2026-48237HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in message.php where the frm_ticket_id and frm_resp_id POST parameters are concatenated into WHERE clauses of SELECT/UPDATE statements without sanitization. Authenticated attackers can craft requests that…

  • CVE-2026-48236HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in db_loader.php where the multiple POST parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) are concatenated into mysqli connection arguments and dynamic SQL operating against an…

  • CVE-2026-48234HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in portal/ajax/list_requests.php where the sort and dir GET parameters are concatenated into the ORDER BY clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that…

  • CVE-2026-48233HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/sit_incidents.php where the offset GET parameter is concatenated into the LIMIT clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query semantics…

  • CVE-2026-48232HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/fullsit_incidents.php where the offset GET parameter is concatenated into the LIMIT clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query…

  • CVE-2026-48231HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in tables.php where the multiple POST parameters (tablename, indexname, sortby) are concatenated into table/column identifiers in dynamically constructed SELECT/UPDATE/DELETE statements without sanitization.…

  • CVE-2026-48249MedMay 21, 2026
    risk 0.31cvss 5.9epss 0.00

    Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests issued during the mobile (RouteMate) login flow. An…

  • CVE-2026-48248MedMay 21, 2026
    risk 0.31cvss 5.9epss 0.00

    Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests issued during the login/authentication flow. An attacker…

  • CVE-2026-48247MedMay 21, 2026
    risk 0.31cvss 5.9epss 0.00

    Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for general-purpose outbound HTTPS requests issued by the…

  • CVE-2026-48246MedMay 21, 2026
    risk 0.31cvss 5.9epss 0.00

    Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for Google Maps Directions API lookups during incident report…

  • CVE-2026-48230MedMay 21, 2026
    risk 0.28cvss 5.4epss 0.00

    Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ticketsmdb_import.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (mdbhost, mdbdb, mdbuser,…

  • CVE-2026-48229MedMay 21, 2026
    risk 0.28cvss 5.4epss 0.00

    Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_i.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into HTML form hidden input…

  • CVE-2026-48228MedMay 21, 2026
    risk 0.28cvss 5.4epss 0.00

    Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient_w.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form…

  • CVE-2026-48227MedMay 21, 2026
    risk 0.28cvss 5.4epss 0.00

    Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form action…

Page 1 of 3