CVE-2026-48238
SQL Injection in Open ISES Tickets
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-48238 is a SQL injection vulnerability found in Open ISES Tickets versions before 3.44.2. It occurs in the ajax/mobile_main.php file where the 'id' GET parameter is directly concatenated into the WHERE clause of a SQL SELECT statement without proper sanitization. This flaw allows authenticated attackers to manipulate the SQL query, potentially altering its behavior.
Because of this vulnerability, attackers can craft malicious requests that change the query semantics, enabling them to read, modify, or delete data stored in the database.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access to sensitive data, modification of database contents, or deletion of important information. Since attackers can manipulate the database through crafted requests, it can lead to data breaches, loss of data integrity, and disruption of service.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Open ISES Tickets to version 3.44.2 or later, where the SQL injection flaw in ajax/mobile_main.php has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers to read, modify, or delete database contents via SQL injection. Such unauthorized access and manipulation of data can lead to breaches of sensitive information.
This kind of data compromise can negatively impact compliance with data protection regulations and standards such as GDPR and HIPAA, which require the protection of personal and sensitive data against unauthorized access and alteration.
Therefore, if exploited, this vulnerability could result in violations of these regulations due to potential data breaches and loss of data integrity.