Open ISES Tickets < 3.44.2 SQL Injection in incs/remotes.inc.php via...

8.8 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Description

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are concatenated into UPDATE and INSERT statements without sanitization. An attacker able to compromise or impersonate the remote GPS tracker endpoint can inject SQL to manipulate the responder location, tracks, and assignment tables.

AI Analysis

SQL injection vulnerability in incs/remotes.inc.php via external GPS tracker data

Basic Information

ID CVE-2026-48235

Source VulnCheck

Published May 21, 2026 at 17:10

Modified May 21, 2026 at 18:02

Affected Product

Vendor Open ISES

Product Tickets

Affected Versions Open ISES Tickets 0

CWE Classification

CWE-89

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Open ISES

Product Tickets

Version < 3.44.2

References

{
    "lastseen": "",
    "description": "Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are concatenated into UPDATE and INSERT statements without sanitization. An attacker able to compromise or impersonate the remote GPS tracker endpoint can inject SQL to manipulate the responder location, tracks, and assignment tables.",
    "published": "2026-05-21T17:10:38.272Z",
    "modified": "2026-05-21T18:02:46.489Z",
    "type": "cve",
    "title": "Open ISES Tickets < 3.44.2 SQL Injection in incs/remotes.inc.php via External GPS Tracker Data",
    "source": "VulnCheck",
    "references": "https://github.com/openises/tickets/releases/tag/v3.44.2\nhttps://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff\nhttps://www.vulncheck.com/advisories/open-ises-tickets-sql-injection-via-incs-remotes-inc-php-multiple-parameters",
    "id": "CVE-2026-48235",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "Open ISES Tickets 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Tickets",
    "version": "0",
    "vendor": "Open ISES",
    "ai_description": "SQL injection vulnerability in incs/remotes.inc.php via external GPS tracker data",
    "ai_severity": "High",
    "ai_vendor": "Open ISES",
    "ai_product": "Tickets",
    "ai_version": "< 3.44.2",
    "ai_score": 8.8
}

Open ISES Tickets < 3.44.2 SQL Injection in incs/remotes.inc.php via External GPS Tracker Data_CVE-2026-48235