CVE-2026-8194

MEDIUM

osTicket Dispatcher class.dispatcher.php cross-site request forgery

Title source: cna

Description

A security vulnerability has been detected in osTicket up to 1.18.3. Impacted is an unknown function of the file include/class.dispatcher.php of the component Dispatcher. The manipulation of the argument _method leads to cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

References (6)

Core 6

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-362346 | osTicket Dispatcher class.dispatcher.php cross-site request forgery

https://vuldb.com/vuln/362346

Signature, Permissions Required signature permissions-required

VDB-362346 | CTI Indicators (IOB, IOC, IOA)

https://vuldb.com/vuln/362346/cti

Third Party Advisory third-party-advisory

Submit #802755 | osTicket 1.18.3 Cross-Site Request Forgery

https://vuldb.com/submit/802755

Patch issue-tracking patch

https://github.com/osTicket/osTicket/pull/6945

Exploit exploit

https://github.com/az10b/security-advisories/blob/main/csrf_bypass_osTicket.md

View Exploit ZIP pw:eip

Product product

https://github.com/osTicket/osTicket/

Scores

CVSS v3 4.3

EPSS 0.0016

EPSS Percentile 5.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-352 CWE-862

Status published

Products (4)

None/osTicket 1.18.0

None/osTicket 1.18.1

None/osTicket 1.18.2

None/osTicket 1.18.3

Published May 09, 2026

Tracked Since May 10, 2026