CVE-2026-22200
Arbitrary File Read in osTicket PDF Export Allows Data Disclosure
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| enhancesoft | osticket | to 1.18.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22200 is an arbitrary file read vulnerability in osTicket versions up to 1.18.2. It occurs in the ticket PDF export functionality, where a remote attacker can submit a ticket containing specially crafted rich-text HTML with PHP filter expressions. These expressions are not properly sanitized before being processed by the mPDF PDF generator. When the ticket is exported to PDF, the generated document can embed contents of attacker-selected files from the server filesystem as bitmap images, allowing the attacker to disclose sensitive local files within the context of the osTicket application user. This vulnerability can be exploited in default configurations where guests can create tickets and access ticket status or where self-registration is enabled. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive local files on the server running osTicket. An attacker can remotely read arbitrary files by embedding their contents into exported PDF tickets, potentially exposing confidential information. This compromises the confidentiality of data within the osTicket application environment and can affect users who have access to the exported PDFs. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for tickets submitted with crafted rich-text HTML containing PHP filter expressions targeting the PDF export functionality. Since the vulnerability exploits the ticket PDF export feature by embedding PHP filters in ticket content, you can detect suspicious tickets by searching for PHP filter patterns in ticket submissions. For example, you might search the database or logs for ticket content containing PHP filter expressions such as 'php://filter'. Commands depend on your environment, but a sample grep command on exported ticket data or logs could be: grep -r 'php://filter' /path/to/osticket/tickets or searching the database for ticket content containing 'php://filter'. Additionally, monitoring PDF export requests and analyzing generated PDFs for embedded unexpected bitmap images may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting guest users from creating tickets or accessing ticket status if not necessary, and disabling self-registration to reduce exposure. Additionally, avoid exporting tickets to PDF unless necessary and ensure that the osTicket installation is updated beyond version 1.18.2 once a patch is available. As a temporary workaround, monitor and sanitize ticket content to prevent PHP filter expressions from being processed during PDF export. Applying network-level controls to restrict access to the ticket export functionality may also help reduce risk. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote attackers to read arbitrary files on the server through the PDF export functionality, potentially disclosing sensitive local files within the context of the osTicket application user. This unauthorized disclosure of sensitive information could lead to non-compliance with data protection standards and regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and disclosure. [1]