CVE-2026-48242— Open ISES Tickets < 3.44.2 Hardcoded MySQL Database Credentials in import_mdb.php
Possible ATT&CK Techniques 1AI
T1552 · Unsecured CredentialsGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-48242
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Open ISES Tickets < 3.44.2 Hardcoded MySQL Database Credentials in import_mdb.php
Source: NVD (National Vulnerability Database)
Vulnerability Description
Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid configuration values that may match deployed installations.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用硬编码的凭证
Source: NVD (National Vulnerability Database)
Vulnerability Title
tickets 信任管理问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
tickets是Open ISES开源的一款公共安全调度管理与追踪应用。 tickets 3.44.2之前版本存在信任管理问题漏洞,该漏洞源于在import_mdb.php中硬编码了MySQL数据库连接凭据,可能导致任何读取源代码的人获取有效配置值。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-48242
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 7903 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-48242
请登录查看更多情报信息。
Vendor Pages for CVE-2026-48242 (1)
Other References for CVE-2026-48242 (1)
- Page Not Found | VulnCheckthird-party-advisory
Same Patch Batch · Open ISES · 2026-05-21 · 37 CVEs total
| CVE-2026-48235 | 8.2 HIGH | Open ISES Tickets < 3.44.2 SQL Injection in incs/remotes.inc.php via External GPS Tracker |
| CVE-2026-48241 | 8.1 HIGH | Open ISES Tickets < 3.44.2 Hardcoded MySQL Database Credentials in loader.php |
| CVE-2026-48236 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via db_loader.php Multiple Parameters |
| CVE-2026-48238 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via ajax/mobile_main.php id Parameter |
| CVE-2026-48240 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via ajax/statistics.php tick_id and f_tick_id Par |
| CVE-2026-48233 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via ajax/sit_incidents.php offset Parameter |
| CVE-2026-48237 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via message.php frm_ticket_id and frm_resp_id Par |
| CVE-2026-48231 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via tables.php Multiple Parameters |
| CVE-2026-48239 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via ajax/reports.php tick_id Parameter |
| CVE-2026-48232 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via ajax/fullsit_incidents.php offset Parameter |
| CVE-2026-48234 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via portal/ajax/list_requests.php sort and dir Pa |
| CVE-2026-48247 | 5.9 MEDIUM | Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in incs/functions.inc.php |
| CVE-2026-48248 | 5.9 MEDIUM | Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in incs/login.inc.php |
| CVE-2026-48249 | 5.9 MEDIUM | Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in rm/incs/mobile_login.i |
| CVE-2026-48246 | 5.9 MEDIUM | Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in ajax/reports.php |
| CVE-2026-48230 | 5.4 MEDIUM | Open ISES Tickets < 3.44.2 Reflected XSS via ticketsmdb_import.php Multiple POST Parameter |
| CVE-2026-48229 | 5.4 MEDIUM | Open ISES Tickets < 3.44.2 Reflected XSS via routes_i.php ticket_id Parameter |
| CVE-2026-48228 | 5.4 MEDIUM | Open ISES Tickets < 3.44.2 Reflected XSS via patient_w.php id and ticket_id Parameters |
| CVE-2026-48226 | 5.4 MEDIUM | Open ISES Tickets < 3.44.2 Reflected XSS via os_watch.php ref and mode_orig Parameters |
| CVE-2026-48223 | 5.4 MEDIUM | Open ISES Tickets < 3.44.2 Reflected XSS via ics213rr.php frm_add_str Parameter |
Showing top 20 of 37 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Tickets
- CVE-2026-48249
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verifica - CVE-2026-48248
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verifica - CVE-2026-48247
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verifica - CVE-2026-48246
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verifica - CVE-2026-48245
Open ISES Tickets < 3.44.2 Hardcoded Google Maps API Key in
Same vendor: Open ISES
- CVE-2026-48249
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verifica - CVE-2026-48248
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verifica - CVE-2026-48247
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verifica - CVE-2026-48246
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verifica - CVE-2026-48245
Open ISES Tickets < 3.44.2 Hardcoded Google Maps API Key in
Same weakness: CWE-798
- CVE-2026-48245
Open ISES Tickets < 3.44.2 Hardcoded Google Maps API Key in - CVE-2026-48244
Open ISES Tickets < 3.44.2 Hardcoded Google Maps API Key in - CVE-2026-48243
Open ISES Tickets < 3.44.2 Hardcoded WhitePages API Key in w - CVE-2026-48241
Open ISES Tickets < 3.44.2 Hardcoded MySQL Database Credenti - CVE-2026-9139
Taiko AG1000-01A Rev 7.3/8 Hard-coded Credentials via login.
V. Comments for CVE-2026-48242
No comments yet