CVE-2026-22200

EIP tracks 3 public exploits for CVE-2026-22200. PoCs published by horizon3ai, Remnant-DB, HORIZON3.ai Team, Arkaprabha Chakraborty <@t1nt1nsn0wy>, including Metasploit module auxiliary/gather/osticket_arbitrary_file_read. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2026-22200, which abuses PHP filters in osTicket's mPDF library to exfiltrate files and can be chained with CVE-2024-2961 for remote code execution (RCE). The exploit includes checks for vulnerability validation and payload generation tools.

Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.