CVE-2026-48241 CRITICAL

CVE-2026-48241: Open ISES Tickets < 3.44.2 Hardcoded MySQL Database Credentials in loader.php

Vendor Open Ises

Product Tickets

Weakness CWE-798 · Hardcoded credentials

Published May 21, 2026

Last update May 21, 2026

View on NVD All CVEs

CVSS base score

9.2/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php (a public-facing database utility) that are committed to the source repository. Any actor with access to the public source tree (or an unauthenticated attacker with read access to the file on a deployed installation) can read the username, password, and database name and use them to connect to the database if it is reachable from their network.

Key dates

Disclosure timeline

May 21, 2026 CVE published

May 21, 2026 Record updated