CVE-2026-48248 | THREATINT

Description

Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for outbound HTTPS requests issued during the login/authentication flow. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.

PUBLISHED Reserved 2026-05-21 | Published 2026-05-21 | Updated 2026-05-21 | Assigner VulnCheck

HIGH: 8.2CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

MEDIUM: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Improper Certificate Validation

Product status

Default status

unaffected

Any version before 3.44.2

affected

References

github.com/openises/tickets/releases/tag/v3.44.2 release-notes

github.com/...ommit/ecfeb406a016766cae81c749e14b5145a9f2dbff patch

www.vulncheck.com/...cate-verification-in-incs-login-inc-php third-party-advisory

cve.org (CVE-2026-48248)

nvd.nist.gov (CVE-2026-48248)

Download JSON