CVE-2026-35007 Overview
CVE-2026-35007 is a reflected cross-site scripting (XSS) vulnerability in Open ISES Tickets versions prior to 3.44.2. The flaw resides in single_unit.php, where the id GET parameter is passed unsanitized directly into an HTML attribute. Authenticated attackers can craft a malicious URL containing a JavaScript payload that executes in the victim's browser when the link is visited. The issue is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Successful exploitation enables arbitrary JavaScript execution in the victim's browser session, leading to session manipulation, UI redress, or theft of in-page data within the Open ISES Tickets application.
Affected Products
- Open ISES Tickets versions before 3.44.2
- The single_unit.php script handling the id GET parameter
- Related files patched in the same commit covering 22 files and 69 reflected XSS sinks
Discovery Timeline
- 2026-05-20 - CVE-2026-35007 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-35007
Vulnerability Analysis
The vulnerability in Open ISES Tickets allows an authenticated attacker to inject arbitrary JavaScript by supplying a crafted value to the id GET parameter of single_unit.php. The application echoes this parameter directly into an HTML attribute without escaping or encoding, breaking out of the attribute context and executing attacker-controlled script.
Reflected XSS in this context requires user interaction. An attacker must lure an authenticated victim to click a malicious URL, after which the payload executes under the victim's origin. The vulnerability affects integrity and confidentiality of the rendered page rather than the underlying server.
The upstream commit addresses the same class of bug across 22 files and 69 sinks, indicating systemic missing output encoding throughout the codebase, not an isolated regression.
Root Cause
The root cause is missing output encoding when reflecting $_GET and $_POST values into HTML attributes. PHP templates concatenated request input directly into VALUE='...' attributes without applying htmlspecialchars() or input casting, allowing attribute-context breakout via single quotes or event handlers.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker crafts a URL targeting single_unit.php with a JavaScript payload in the id parameter, then delivers it to an authenticated user through phishing, chat, or another vector. When the victim opens the link, the unsanitized value is reflected into the HTML response and the payload executes in the browser.
// Vulnerable pattern (pre-patch) - reflecting GET input directly into an attribute
<INPUT TYPE = 'hidden' NAME = 'frm_ticket_id' VALUE='<?php print $_GET['ticket_id']; ?>' />
// Patched pattern - encoding output for HTML attribute context
<INPUT TYPE = 'hidden' NAME = 'frm_ticket_id' VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' />
// Patched pattern for numeric IDs - casting to integer
<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print intval($_POST['ticket_id']);?>' />
Source: GitHub Commit ecfeb40
Detection Methods for CVE-2026-35007
Indicators of Compromise
- HTTP GET requests to single_unit.php containing id parameter values with <, >, ', ", or javascript: substrings
- Web server access logs showing URL-encoded script tags or event handler keywords such as onerror, onload, or onmouseover in query strings
- Referrer headers pointing to external chat, email, or phishing domains preceding requests to Open ISES Tickets endpoints
Detection Strategies
- Inspect web application firewall (WAF) logs for reflected XSS signatures against single_unit.php and related Open ISES Tickets endpoints
- Correlate authenticated user sessions with outbound requests immediately following a click on a long, encoded URL containing the id parameter
- Run source-code scanners against the Open ISES Tickets deployment to flag print $_GET and print $_POST patterns without htmlspecialchars() or intval()
Monitoring Recommendations
- Enable HTTP request logging with full query strings on the web server hosting Open ISES Tickets
- Alert on anomalous spikes in 200-status responses to single_unit.php with abnormally long id values
- Monitor browser-side Content Security Policy (CSP) violation reports to identify reflected script execution attempts
How to Mitigate CVE-2026-35007
Immediate Actions Required
- Upgrade Open ISES Tickets to version 3.44.2 or later, which contains the fix for all 69 reflected XSS sinks
- Audit any custom modifications to single_unit.php and other patched files to ensure they retain the encoding changes after upgrade
- Educate authenticated users on the risk of opening unsolicited links pointing to internal ticketing URLs
Patch Information
The fix is published in Open ISES Tickets release v3.44.2. The corresponding source change is documented in GitHub Commit ecfeb40, which applies htmlspecialchars($value, ENT_QUOTES, 'UTF-8') to string parameters and intval() to numeric parameters across 22 files. Additional context is available in the VulnCheck Security Advisory.
Workarounds
- Deploy a WAF rule that blocks or sanitizes id parameter values to single_unit.php containing HTML metacharacters
- Apply a strict Content Security Policy (CSP) that disallows inline scripts and unsafe event handlers in the application response
- Restrict access to the Open ISES Tickets application to trusted networks via VPN or IP allowlisting until the patch is applied
# Example ModSecurity rule to block reflected XSS payloads on single_unit.php id parameter
SecRule REQUEST_URI "@contains /single_unit.php" \
"chain,phase:2,deny,status:403,id:1026350071,msg:'CVE-2026-35007 reflected XSS attempt'"
SecRule ARGS:id "@rx (?i)(<script|onerror=|onload=|javascript:|['\"]\s*>)" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
