VYPR
Vendor

Openises

Products
2
CVEs
55
Across products
67
Status
Private

Products

2

Recent CVEs

55
View all 55 CVEs →
  • CVE-2018-25404HigMay 29, 2026
    risk 0.53cvss 8.2epss 0.00

    The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ticket_id parameter. Attackers can send GET requests to add_facnote.php with crafted SQL payloads to…

  • CVE-2018-25403HigMay 29, 2026
    risk 0.53cvss 8.2epss 0.00

    The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to city_graph.php with crafted SQL payloads to extract…

  • CVE-2018-25402HigMay 29, 2026
    risk 0.53cvss 8.2epss 0.00

    The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to inc_types_graph.php with crafted SQL payloads to…

  • CVE-2018-25401HigMay 29, 2026
    risk 0.53cvss 8.2epss 0.00

    The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to sever_graph.php with crafted SQL payloads to…

  • CVE-2018-25400HigMay 29, 2026
    risk 0.53cvss 8.2epss 0.00

    The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to the ajax/form_post.php endpoint with crafted SQL…

  • CVE-2018-25399HigMay 29, 2026
    risk 0.53cvss 8.2epss 0.00

    The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tick_lat and tick_lng parameters. Attackers can send GET requests to nearby.php with crafted SQL…

  • CVE-2018-25398HigMay 29, 2026
    risk 0.53cvss 8.2epss 0.00

    The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the frm_passwd parameter. Attackers can send POST requests to main.php with crafted SQL payloads to…

  • CVE-2018-25408HigMay 30, 2026
    risk 0.49cvss 7.5epss 0.01

    The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename parameter. Attackers can supply directory traversal sequences ../ in the filename…

  • CVE-2026-48242HigMay 21, 2026
    risk 0.46cvss 8.1epss 0.00

    Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid…

  • CVE-2026-48241HigMay 21, 2026
    risk 0.46cvss 8.1epss 0.00

    Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php (a public-facing database utility) that are committed to the source repository. Any actor with access to the public source tree (or an unauthenticated attacker with read access to the…

  • CVE-2026-48235HigMay 21, 2026
    risk 0.46cvss 8.2epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are…

  • CVE-2026-48240HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/statistics.php where the tick_id and f_tick_id POST parameters are concatenated into WHERE clauses of SELECT statements in the statistics rollup queries without sanitization. Authenticated attackers…

  • CVE-2026-48239HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/reports.php where the tick_id POST parameter is concatenated into the WHERE clause of SELECT statements in the incidents summary report without sanitization. Authenticated attackers can craft requests…

  • CVE-2026-48238HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/mobile_main.php where the id GET parameter is concatenated into the WHERE clause of a SELECT statement used as a ticket-existence sanity check without sanitization. Authenticated attackers can craft…

  • CVE-2026-48237HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in message.php where the frm_ticket_id and frm_resp_id POST parameters are concatenated into WHERE clauses of SELECT/UPDATE statements without sanitization. Authenticated attackers can craft requests that…

  • CVE-2026-48236HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in db_loader.php where the multiple POST parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) are concatenated into mysqli connection arguments and dynamic SQL operating against an…

  • CVE-2026-48234HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in portal/ajax/list_requests.php where the sort and dir GET parameters are concatenated into the ORDER BY clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that…

  • CVE-2026-48233HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/sit_incidents.php where the offset GET parameter is concatenated into the LIMIT clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query semantics…

  • CVE-2026-48232HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/fullsit_incidents.php where the offset GET parameter is concatenated into the LIMIT clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query…

  • CVE-2026-48231HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in tables.php where the multiple POST parameters (tablename, indexname, sortby) are concatenated into table/column identifiers in dynamically constructed SELECT/UPDATE/DELETE statements without sanitization.…