CVE-2026-48246
MEDIUMOpen ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in ajax/reports.php
Title source: cnaDescription
Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for Google Maps Directions API lookups during incident report generation. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.
References (3)
Core 3
Core References
Release Notes release-notes
https://github.com/openises/tickets/releases/tag/v3.44.2
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/open-ises-tickets-disabled-tls-certificate-verification-in-ajax-reports-php
Scores
CVSS v3
5.9
EPSS
0.0017
EPSS Percentile
6.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-295
Status
published
Products (1)
Open ISES/Tickets
< 3.44.2
Published
May 21, 2026
Tracked Since
May 21, 2026