CVE-2026-48246 HIGH

CVE-2026-48246: Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in ajax/reports.php

Vendor Open Ises

Product Tickets

Weakness CWE-295

Published May 21, 2026

Last update May 21, 2026

View on NVD All CVEs

CVSS base score

8.2/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for Google Maps Directions API lookups during incident report generation. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.

Key dates

Disclosure timeline

May 21, 2026 CVE published

May 21, 2026 Record updated