CVE Catalog

CVE-2026-48241

High
Published: Translated: NVD NIST

Summary

Open ISES Tickets before version 3.44.2 contains hardcoded MySQL database credentials in loader.php, which is publicly accessible. Any actor with access to the public source tree or an unauthenticated attacker with read access to the file on a deployed installation can read the username, password, and database name.

Risk Assessment

The risk is that unauthorized users may gain access to the database, potentially leading to data leaks or unauthorized modifications.

Recommendation

It is recommended to upgrade to version 3.44.2 or later to remove the hardcoded credentials and restrict access to the loader.php file.

Original NVD description (English source)

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php (a public-facing database utility) that are committed to the source repository. Any actor with access to the public source tree (or an unauthenticated attacker with read access to the file on a deployed installation) can read the username, password, and database name and use them to connect to the database if it is reachable from their network.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS