CVE Catalog

CVE-2026-35008

MediumCVSS 4.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

13th percentile - higher than 13% of all known CVEs

Summary

Open ISES Tickets before version 3.44.2 contains a reflected cross-site scripting vulnerability in single.php. An authenticated attacker can inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into an HTML attribute.

Risk Assessment

The risk involves executing malicious scripts in the victim's browser upon clicking a crafted link, potentially leading to session theft, account takeover, or data leakage.

Recommendation

Immediately update Open ISES Tickets to version 3.44.2 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into an HTML attribute. Attackers can craft a malicious URL containing a JavaScript payload in the id parameter that executes in the victim's browser when the URL is visited.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS