CVE-2026-48243
Deferred Deferred - Pending Action
Hardcoded WhitePages API Key Exposure in Open ISES Tickets

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: VulnCheck

Description
Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited against the original owner's WhitePages account.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-06-11
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-10
NVD
CVE-2026-48243
EUVD
EUVD-2026-31325
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openises tickets to 3.44.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability involves a hardcoded WhitePages reverse-phone API key embedded in the source code, which can be extracted and misused by unauthorized actors. This exposure of credentials could potentially lead to unauthorized access to third-party services and misuse of the original owner's account.

However, there is no specific information provided about how this vulnerability directly impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

Open ISES Tickets versions before 3.44.2 contain a hardcoded WhitePages reverse-phone API key embedded in the wp1.php file.

This key is committed to the public source repository, meaning anyone with read access to the source code can extract it.

An attacker can then use this key to make unauthorized third-party API calls to WhitePages, which are billed to or rate-limited against the original owner's account.

Impact Analysis

This vulnerability can lead to unauthorized use of the WhitePages API key, allowing attackers to make API calls that are charged to or limited against the original owner's account.

Such unauthorized usage could result in unexpected costs or service disruptions due to hitting rate limits.

Detection Guidance

This vulnerability can be detected by inspecting the source code of Open ISES Tickets installations for the presence of a hardcoded WhitePages reverse-phone API key in the wp1.php file.

You can search for the API key by running commands that look for the specific file and keywords within it.

  • Use a command like: grep -r 'WhitePages' /path/to/open-ises-tickets/wp1.php
  • Alternatively, search for the API key pattern or keywords related to the WhitePages API key in the source directory: grep -r 'api_key' /path/to/open-ises-tickets/

If the source code is publicly accessible or stored in a repository, review the wp1.php file for any hardcoded credentials.

Mitigation Strategies

The immediate mitigation step is to upgrade Open ISES Tickets to version 3.44.2 or later, where this vulnerability has been addressed.

Additionally, remove any hardcoded WhitePages API keys from the wp1.php file or any other source files.

If the API key has been exposed, consider rotating or revoking the compromised WhitePages API key to prevent unauthorized use.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48243. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart