CVE-2026-8194 MEDIUM

CVE-2026-8194: osTicket Dispatcher class.dispatcher.php cross-site request forgery

Vendor N/A

Product osTicket

Weakness CWE-352 · CSRF

Published May 9, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A security vulnerability has been detected in osTicket up to 1.18.3. Impacted is an unknown function of the file include/class.dispatcher.php of the component Dispatcher. The manipulation of the argument _method leads to cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

Key dates

Disclosure timeline

May 9, 2026 CVE published

May 11, 2026 Record updated

Identifiers

CVE CVE-2026-8194

CWE CWE-352

CVSS 5.3 / MEDIUM

Affected versions

Vendor N/A

Product osTicket

Affected 1.18.0

Vendor N/A

Product osTicket

Affected 1.18.1

Vendor N/A

Product osTicket

Affected 1.18.2

Vendor N/A

Product osTicket

Affected 1.18.3