25 CVEs Disclosed in Open ISES Tickets: SQLi, Hardcoded Credentials, and TLS Verification Flaws
A batch of 25 vulnerabilities was disclosed in Open ISES Tickets, spanning SQL injection, hardcoded secrets, TLS bypass, and XSS, all fixed in version 3.44.2.
Twenty-five security vulnerabilities were disclosed together on May 21, 2026, affecting Open ISES Tickets (the "Tickets" help-desk and incident-management application by Openises). The batch spans four distinct bug classes — SQL injection, hardcoded credentials and API keys, disabled TLS certificate verification, and reflected cross-site scripting — all of which are remediated in version 3.44.2. The breadth of the disclosure signals a deep, systemic lack of input sanitization and secret-management discipline across the codebase, putting deployed instances at risk of database compromise, credential theft, and man-in-the-middle interception.
The largest group in the batch is a set of SQL injection vulnerabilities, most rated High severity (CVSSv3 7.1–8.2). These flaws arise from unsanitized user-supplied parameters being concatenated directly into SQL queries across multiple AJAX handlers and utility scripts. CVE-2026-48235 (CVSS 8.2) is the most severe of the SQLi group: it affects incs/remotes.inc.php, where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service responses (InstaMapper and Google Latitude integration) are concatenated into UPDATE and INSERT statements without sanitization. An attacker who can control or spoof the GPS feed can inject arbitrary SQL.
Several other SQLi CVEs target authenticated attackers who can manipulate POST or GET parameters to alter query semantics. CVE-2026-48240 and CVE-2026-48239 affect ajax/statistics.php and ajax/reports.php respectively, where tick_id and f_tick_id POST parameters are injected into WHERE clauses. CVE-2026-48238 (ajax/mobile_main.php) and CVE-2026-48237 (message.php) follow the same pattern with id and frm_ticket_id parameters. CVE-2026-48236 in db_loader.php is notable because it allows an authenticated attacker to pass database connection parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) that are concatenated into dynamic SQL against an attacker-controlled database.
Three CVEs cover hardcoded API keys embedded in the public source repository. CVE-2026-48245 and CVE-2026-48244 (both CVSS 5.3) disclose a hardcoded Google Maps API key in tables.php and settings.inc.php respectively. CVE-2026-48243 (CVSS 5.3) exposes a WhitePages reverse-phone API key in wp1.php. Any actor with read access to the source tree can extract these keys and use them to make API calls billed against the original owner's accounts. More critically, CVE-2026-48242 and CVE-2026-48241 (both CVSS 8.1, High severity) expose hardcoded MySQL database connection credentials — host, username, password, and database name — in import_mdb.php and loader.php. Because these files are committed to the public repository, anyone with source access can obtain valid database credentials that may match production deployments.
Four Medium-severity CVEs (CVSS 5.9) share an identical root cause: the application disables TLS certificate verification in outbound cURL requests by setting CURLOPT_SSL_VERIFYPEER to false and omitting CURLOPT_SSL_VERIFYHOST. This affects the mobile (RouteMate) login flow (CVE-2026-48249, rm/incs/mobile_login.inc.php), the standard login flow (CVE-2026-48248, incs/login.inc.php), general-purpose outbound HTTPS requests (CVE-2026-48247, incs/functions.inc.php), and Google Maps Directions API lookups during incident report generation (CVE-2026-48246, ajax/reports.php). An attacker positioned on the network path can trivially perform man-in-the-middle attacks against these connections.
Five Medium-severity CVEs (CVSS 5.4) cover reflected XSS vulnerabilities that allow authenticated attackers to inject arbitrary JavaScript. The affected files are ticketsmdb_import.php (CVE-2026-48230), routes_i.php (CVE-2026-48229), patient_w.php (CVE-2026-48228), patient.php (CVE-2026-48227), os_watch.php (CVE-2026-48226), and landb.php (CVE-2026-48225). In each case, unsanitized GET or POST parameter values are reflected directly into HTML form attributes or hidden input values, enabling crafted malicious links to execute script in the context of the victim's session.
All 25 CVEs are addressed in Open ISES Tickets version 3.44.2. Users running any earlier version should upgrade immediately. No workarounds or partial mitigations have been published by the vendor for individual CVEs; the single version bump covers the entire batch. Given the presence of hardcoded database credentials in the public repository, organizations should also rotate any MySQL credentials that match those found in import_mdb.php or loader.php and regenerate any exposed Google Maps or WhitePages API keys.
The sheer density of vulnerabilities — 25 CVEs across four unrelated bug classes in a single disclosure — points to a codebase that lacked fundamental security practices: no input sanitization, no TLS verification, and secrets committed to version control. For organizations running Open ISES Tickets for incident management, the disclosure serves as a stark reminder that help-desk software, which often holds sensitive user data and internal system details, must be treated as a high-value target. The coordinated patch release is a positive step, but the underlying code quality issues suggest that further vulnerabilities may emerge as researchers continue to examine the application.