CVE-2026-36214
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-36214, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: MITRE

Description

osTicket versions from 1.10 up to 1.17.7 and from 1.18.0 up to 1.18.3 are vulnerable to a stored XSS due to a vulnerable Bootstrap Tooltip component and insufficient HTML sanitization, allowing remote attackers to execute arbitrary JavaScript in Agent or Admin sessions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
osticket osticket From 1.10|end_including=1.17.7 (inc)
osticket osticket From 1.18.0|end_including=1.18.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-36214 is a stored Cross-Site Scripting (XSS) vulnerability in osTicket versions 1.10 to 1.17.7 and 1.18.0 to 1.18.3. It occurs due to a vulnerable Bootstrap Tooltip component (version 3.3.4) and insufficient HTML sanitization in the software.

The vulnerability allows remote attackers to inject arbitrary JavaScript code into the system. When an agent or admin views a malicious ticket or tooltip, the script executes in their session. This is possible because the Bootstrap Tooltip component did not properly sanitize user-provided HTML content, and osTicket's default settings allowed unrestricted file uploads, including JavaScript files.

  • The root cause is the inclusion of Bootstrap Tooltip 3.3.4, which is affected by CVE-2019-8331, a known XSS vulnerability.
  • Attackers can craft malicious payloads that bypass HTML sanitization, often leveraging the tooltip's data-template attribute to inject scripts.
  • The vulnerability has been present in osTicket since 2015, affecting multiple major releases.
Impact Analysis

If you are using an affected version of osTicket (1.10 to 1.17.7 or 1.18.0 to 1.18.3), this vulnerability can have serious consequences for your organization.

  • Session compromise: Attackers can execute arbitrary JavaScript in the sessions of agents or administrators, allowing them to hijack accounts and perform actions on behalf of legitimate users.
  • Data theft: Attackers can access sensitive information stored in osTicket, such as customer data, support tickets, or internal communications.
  • Phishing attacks: Attackers can redirect users to malicious websites designed to steal credentials or distribute malware.
  • Administrative actions: With access to an admin session, attackers can modify system settings, create or delete users, or alter configurations.
  • Unrestricted file uploads: The default settings in osTicket allow attackers to upload malicious files, including JavaScript files, which can be used to further exploit the system.

While Content Security Policy (CSP) restrictions in the staff panel may block some external scripts, attackers can still use inline JavaScript or data URIs to bypass these protections.

Compliance Impact

This vulnerability can significantly impact compliance with common data protection and privacy regulations, depending on the type of data your organization handles in osTicket.

  • GDPR (General Data Protection Regulation): If osTicket processes personal data of EU citizens, this vulnerability could lead to unauthorized access or disclosure of that data. GDPR requires organizations to implement appropriate security measures to protect personal data. A successful XSS attack could result in a data breach, triggering reporting obligations and potential fines under GDPR.
  • HIPAA (Health Insurance Portability and Accountability Act): If osTicket is used to handle protected health information (PHI) in a healthcare setting, this vulnerability could lead to unauthorized access to PHI. HIPAA requires covered entities to protect the confidentiality, integrity, and availability of PHI. A breach resulting from this vulnerability could lead to non-compliance and penalties.
  • Other regulations: Similar risks apply to other standards like PCI DSS (if payment card data is involved) or industry-specific regulations. Non-compliance could result in legal consequences, financial penalties, or reputational damage.

Organizations must ensure they are using a patched version of osTicket (1.17.8, 1.18.4, or later) to mitigate this vulnerability and maintain compliance with applicable regulations.

Detection Guidance

Detecting CVE-2026-36214 on your network or system involves checking for vulnerable versions of osTicket and identifying potential malicious payloads in stored tickets or tooltips.

  • Check the installed version of osTicket. The vulnerability affects versions from 1.10 up to 1.17.7 and from 1.18.0 up to 1.18.3. You can verify the version by navigating to the osTicket admin panel or checking the version file in the installation directory (e.g., /include/ost-config.php or /bootstrap.php).
  • Inspect stored tickets for suspicious content. Look for tickets containing unusual HTML or JavaScript, particularly in fields that render tooltips or use the Bootstrap Tooltip component. For example, search for attributes like data-template or data-html in ticket content.
  • Review server logs for unusual activity, such as unexpected JavaScript file uploads or requests to execute scripts. Check for files with .js extensions or content types like application/javascript in upload directories.
  • Use a web vulnerability scanner to detect stored XSS vulnerabilities in osTicket. Tools like OWASP ZAP or Burp Suite can help identify potential XSS payloads in ticket submissions or tooltip components.
  • Manually test for the vulnerability by submitting a benign XSS payload in a ticket and checking if it executes when viewed by an agent or admin. For example, submit a ticket with the following payload in a field that renders tooltips: <script>alert('XSS')</script>. If the script executes, the system is vulnerable.
Mitigation Strategies

To mitigate CVE-2026-36214, follow these immediate steps to reduce the risk of exploitation.

  • Upgrade osTicket to the latest patched version. The vulnerability is fixed in versions 1.17.8 and 1.18.4. Download the update from the official osTicket GitHub repository and follow the upgrade instructions provided in the release notes.
  • If upgrading is not immediately possible, apply temporary mitigations by restricting file uploads. Disable the ability to upload JavaScript files or files with executable content types. Modify the osTicket configuration to block .js files or enforce strict content type validation.
  • Enhance HTML sanitization by manually applying the patches from the commit linked in Resource 2. Update the bootstrap-tooltip.js file to include the sanitize option, sanitizeFn callback, and whiteList configuration. Also, modify the safe_html function in include/class.format.php to remove the data-cid attribute from allowed HTML attributes.
  • Implement a Content Security Policy (CSP) to restrict inline script execution and data URIs. Configure the CSP header to block unsafe-inline and data: schemes, which can help mitigate the impact of XSS attacks even if the vulnerability is present.
  • Monitor and audit ticket content for malicious payloads. Regularly review stored tickets for suspicious HTML or JavaScript, particularly in fields that render tooltips. Remove or sanitize any identified malicious content.
  • Restrict access to the osTicket admin and agent panels. Limit access to trusted IP addresses or require multi-factor authentication (MFA) to reduce the risk of unauthorized access even if an XSS vulnerability is exploited.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36214. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart