Home

Description

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are concatenated into UPDATE and INSERT statements without sanitization. An attacker able to compromise or impersonate the remote GPS tracker endpoint can inject SQL to manipulate the responder location, tracks, and assignment tables.

PUBLISHED Reserved 2026-05-21 | Published 2026-05-21 | Updated 2026-05-21 | Assigner VulnCheck




HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

Any version before 3.44.2
affected

References

github.com/openises/tickets/releases/tag/v3.44.2 release-notes

github.com/...ommit/ecfeb406a016766cae81c749e14b5145a9f2dbff patch

www.vulncheck.com/...ncs-remotes-inc-php-multiple-parameters third-party-advisory

cve.org (CVE-2026-48235)

nvd.nist.gov (CVE-2026-48235)

Download JSON