CVE-2026-35007
Received Received - Intake
Reflected XSS in Open ISES Tickets

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: VulnCheck

Description
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single_unit.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id GET parameter directly into an HTML attribute. Attackers can craft a malicious URL containing a JavaScript payload in the id parameter that executes in the victim's browser when the URL is visited.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-05-21
AI Q&A
2026-05-20
EPSS Evaluated
N/A
NVD
CVE-2026-35007
EUVD
EUVD-2026-31175
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-35007 is a reflected cross-site scripting (XSS) vulnerability found in Open ISES Tickets versions before 3.44.2, specifically in the single_unit.php file.

The vulnerability occurs because the id GET parameter is passed into an HTML attribute without proper sanitization or neutralization. This allows an authenticated attacker to inject arbitrary JavaScript code by crafting a malicious URL containing a JavaScript payload in the id parameter.

When a victim visits the malicious URL, the injected JavaScript executes in their browser, potentially leading to unauthorized actions or data exposure.


How can this vulnerability impact me? :

This vulnerability can impact users by allowing attackers to execute arbitrary JavaScript in their browsers when they visit a specially crafted URL.

  • It can lead to theft of sensitive information such as session cookies or credentials.
  • Attackers may perform actions on behalf of the victim within the application.
  • It can be used to deliver malicious payloads or redirect users to malicious sites.

Overall, it poses a medium severity risk with a CVSS score of 5.1, indicating a moderate impact on confidentiality and integrity.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the single_unit.php page for reflected cross-site scripting (XSS) via the id GET parameter. You can attempt to inject a JavaScript payload into the id parameter and observe if it executes in the browser.

  • Use a web browser or tools like curl or wget to send requests with a test payload in the id parameter, for example: http://yourserver/single_unit.php?id=<script>alert(1)</script>
  • Use automated web vulnerability scanners that support XSS detection to scan the affected URL.
  • Monitor web server logs for suspicious requests containing script tags or unusual characters in the id parameter.

What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to apply the patch released for Open ISES Tickets version 3.44.2 or later, which addresses the reflected XSS issue in single_unit.php.

Until the patch is applied, restrict access to the affected page to trusted users only, and educate users to avoid clicking on suspicious URLs containing the id parameter.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how this reflected cross-site scripting (XSS) vulnerability in Open ISES Tickets affects compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart