CVE-2026-48235 HIGH

CVE-2026-48235: Open ISES Tickets < 3.44.2 SQL Injection in incs/remotes.inc.php via External GPS Tracker Data

Vendor Open Ises

Product Tickets

Weakness CWE-89 · SQLi

Published May 21, 2026

Last update May 21, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are concatenated into UPDATE and INSERT statements without sanitization. An attacker able to compromise or impersonate the remote GPS tracker endpoint can inject SQL to manipulate the responder location, tracks, and assignment tables.

Key dates

Disclosure timeline

May 21, 2026 CVE published

May 21, 2026 Record updated