CVE-2026-48245
Deferred Deferred - Pending Action
Hardcoded Google Maps API Key Exposure in Open ISES Tickets

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: VulnCheck

Description
Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google Cloud project.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-06-11
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-10
NVD
CVE-2026-48245
EUVD
EUVD-2026-31328
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability involves a hardcoded Google Maps API key exposed in the public source repository, which can be used by unauthorized parties to make requests billed to the original owner's Google Cloud project.

There is no information provided about any direct impact on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

Open ISES Tickets versions before 3.44.2 contain a hardcoded Google Maps API key embedded in the tables.php file. This key is committed to the public source repository, making it accessible to anyone with read access to the source code.

Because the key is exposed publicly, unauthorized users can extract it and use it to make Google Maps Platform requests that are billed to the original owner's Google Cloud project.

Impact Analysis

The vulnerability can lead to unauthorized use of the Google Maps API key, allowing attackers or unauthorized users to make requests to the Google Maps Platform.

This unauthorized usage can result in unexpected charges billed to the original owner's Google Cloud project, potentially causing financial loss.

Detection Guidance

This vulnerability involves a hardcoded Google Maps API key embedded in the tables.php file of Open ISES Tickets versions before 3.44.2. To detect it, you can search the source code repository or your deployed files for the presence of this hardcoded key.

  • Use a command like `grep -r 'AIza' /path/to/ises-tickets/` to search for Google Maps API keys in the source code, as Google API keys typically start with 'AIza'.
  • Check the tables.php file specifically for any hardcoded API keys by running `grep 'Google Maps API key' /path/to/ises-tickets/tables.php` or inspecting the file manually.
Mitigation Strategies

The primary mitigation step is to update Open ISES Tickets to version 3.44.2 or later, where this vulnerability has been addressed.

Additionally, you should revoke or regenerate the exposed Google Maps API key to prevent unauthorized usage and potential billing against your Google Cloud project.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48245. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart