CVE-2026-48246— Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in ajax/reports.php
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-48246
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in ajax/reports.php
Source: NVD (National Vulnerability Database)
Vulnerability Description
Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for Google Maps Directions API lookups during incident report generation. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
证书验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
tickets 信任管理问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
tickets是Open ISES开源的一款公共安全调度管理与追踪应用。 tickets 3.44.2之前版本存在信任管理问题漏洞,该漏洞源于在ajax/reports.php中禁用TLS证书验证,可能导致网络路径上的攻击者使用伪造证书拦截、监控或修改请求和响应。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-48246
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-48246
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-48246 (1)
Vendor Pages for CVE-2026-48246 (1)
Same Patch Batch · Open ISES · 2026-05-21 · 37 CVEs total
| CVE-2026-48235 | 8.2 HIGH | Open ISES Tickets < 3.44.2 SQL Injection in incs/remotes.inc.php via External GPS Tracker |
| CVE-2026-48241 | 8.1 HIGH | Open ISES Tickets < 3.44.2 Hardcoded MySQL Database Credentials in loader.php |
| CVE-2026-48242 | 8.1 HIGH | Open ISES Tickets < 3.44.2 Hardcoded MySQL Database Credentials in import_mdb.php |
| CVE-2026-48238 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via ajax/mobile_main.php id Parameter |
| CVE-2026-48236 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via db_loader.php Multiple Parameters |
| CVE-2026-48231 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via tables.php Multiple Parameters |
| CVE-2026-48240 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via ajax/statistics.php tick_id and f_tick_id Par |
| CVE-2026-48237 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via message.php frm_ticket_id and frm_resp_id Par |
| CVE-2026-48233 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via ajax/sit_incidents.php offset Parameter |
| CVE-2026-48234 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via portal/ajax/list_requests.php sort and dir Pa |
| CVE-2026-48232 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via ajax/fullsit_incidents.php offset Parameter |
| CVE-2026-48239 | 7.1 HIGH | Open ISES Tickets < 3.44.2 SQL Injection via ajax/reports.php tick_id Parameter |
| CVE-2026-48247 | 5.9 MEDIUM | Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in incs/functions.inc.php |
| CVE-2026-48248 | 5.9 MEDIUM | Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in incs/login.inc.php |
| CVE-2026-48249 | 5.9 MEDIUM | Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in rm/incs/mobile_login.i |
| CVE-2026-48228 | 5.4 MEDIUM | Open ISES Tickets < 3.44.2 Reflected XSS via patient_w.php id and ticket_id Parameters |
| CVE-2026-48230 | 5.4 MEDIUM | Open ISES Tickets < 3.44.2 Reflected XSS via ticketsmdb_import.php Multiple POST Parameter |
| CVE-2026-48227 | 5.4 MEDIUM | Open ISES Tickets < 3.44.2 Reflected XSS via patient.php id and ticket_id Parameters |
| CVE-2026-48226 | 5.4 MEDIUM | Open ISES Tickets < 3.44.2 Reflected XSS via os_watch.php ref and mode_orig Parameters |
| CVE-2026-48223 | 5.4 MEDIUM | Open ISES Tickets < 3.44.2 Reflected XSS via ics213rr.php frm_add_str Parameter |
Showing top 20 of 37 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Tickets
- CVE-2026-48249
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verifica - CVE-2026-48248
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verifica - CVE-2026-48247
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verifica - CVE-2026-48245
Open ISES Tickets < 3.44.2 Hardcoded Google Maps API Key in - CVE-2026-48244
Open ISES Tickets < 3.44.2 Hardcoded Google Maps API Key in
Same vendor: Open ISES
- CVE-2026-48249
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verifica - CVE-2026-48248
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verifica - CVE-2026-48247
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verifica - CVE-2026-48245
Open ISES Tickets < 3.44.2 Hardcoded Google Maps API Key in - CVE-2026-48244
Open ISES Tickets < 3.44.2 Hardcoded Google Maps API Key in
Same weakness: CWE-295
- CVE-2026-8992
Ivanti Secure Access Client证书验证漏洞致远程代码执行 - CVE-2025-32745
Dell PowerFlex Manager<=4.6.2证书验证缺陷 - CVE-2026-48249
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verifica - CVE-2026-48248
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verifica - CVE-2026-48247
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verifica
V. Comments for CVE-2026-48246
No comments yet