CVE-2026-35008
MediumCVSS 4.6Exploitation Probability (EPSS)
Low risk13th percentile - higher than 13% of all known CVEs
Summary
Open ISES Tickets before version 3.44.2 contains a reflected cross-site scripting vulnerability in single.php. An authenticated attacker can inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into an HTML attribute.
Risk Assessment
The risk involves executing malicious scripts in the victim's browser upon clicking a crafted link, potentially leading to session theft, account takeover, or data leakage.
Recommendation
Immediately update Open ISES Tickets to version 3.44.2 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into an HTML attribute. Attackers can craft a malicious URL containing a JavaScript payload in the id parameter that executes in the victim's browser when the URL is visited.

