CVE-2026-35008 Overview
CVE-2026-35008 is a reflected cross-site scripting (XSS) vulnerability in Open ISES Tickets versions prior to 3.44.2. The flaw resides in single.php, where the ticket_id GET parameter is rendered directly into an HTML attribute without sanitization. Authenticated attackers can craft URLs that inject arbitrary JavaScript into the victim's browser session when visited. The issue is tracked under [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in a victim's browser context, enabling session manipulation, credential theft, and unauthorized actions within the Open ISES Tickets application.
Affected Products
- Open ISES Tickets versions prior to 3.44.2
- single.php component (vulnerable ticket_id GET parameter handling)
- Additional files patched in the same release addressing 69 reflected XSS issues across 22 files
Discovery Timeline
- 2026-05-20 - CVE-2026-35008 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-35008
Vulnerability Analysis
The vulnerability stems from unsafe handling of user-controlled input in single.php. The application reads the ticket_id value from the HTTP GET query string and prints it directly into an HTML attribute using PHP's print statement. Because the value is neither type-cast nor HTML-encoded, an attacker can break out of the attribute context with a quote character and inject script payloads.
This is a classic reflected XSS pattern, where the malicious payload is delivered through a crafted URL rather than stored on the server. Exploitation requires authentication, which limits opportunistic attacks but does not prevent abuse by low-privilege users targeting administrators. Successful exploitation can lead to session token theft, forced ticket modifications, and pivoting into other application functions accessible to the victim.
The upstream fix is published in Open ISES Tickets release v3.44.2, which addresses 69 reflected XSS instances across 22 files in a single commit.
Root Cause
The root cause is missing output encoding and missing input validation on parameters consumed from $_GET and $_POST superglobals. Numeric ticket identifiers are passed through unchanged, allowing arbitrary characters including quotes and angle brackets to be reflected into HTML.
Attack Vector
An attacker authenticated to Open ISES Tickets crafts a URL containing a malicious payload in the ticket_id parameter and delivers it to a victim via phishing, chat, or another ticket. When the victim visits the URL, the server reflects the payload into an INPUT attribute, breaking out of the VALUE='' context and executing attacker-controlled JavaScript.
// Vulnerable pattern (pre-3.44.2)
<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print $_POST['ticket_id'];?>' />
// Patched pattern in add.php (v3.44.2) — integer cast for numeric IDs
<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print intval($_POST['ticket_id']);?>' />
// Patched pattern in add_facnote.php (v3.44.2) — HTML entity encoding
<INPUT TYPE='hidden' NAME='frm_ticket_id' VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' />
Source: GitHub Commit ecfeb40
Detection Methods for CVE-2026-35008
Indicators of Compromise
- HTTP GET requests to single.php with ticket_id parameter values containing characters such as ', ", <, >, onerror=, or javascript:
- Web server access logs showing URL-encoded script tags or event handlers in the ticket_id query string
- Outbound browser requests from authenticated user sessions to unfamiliar domains immediately after viewing a ticket URL
Detection Strategies
- Inspect web access logs for non-numeric values in the ticket_id parameter, since legitimate identifiers are integers
- Deploy WAF rules that flag reflected XSS payload signatures targeting /single.php, /add.php, and /add_facnote.php
- Correlate authenticated session activity with anomalous DOM-based navigation events in browser telemetry
Monitoring Recommendations
- Alert on repeated 200-OK responses to single.php requests containing HTML metacharacters in query parameters
- Track user agents and source IPs that submit malformed ticket_id values across multiple endpoints
- Review Content Security Policy (CSP) violation reports if CSP is enabled in front of the application
How to Mitigate CVE-2026-35008
Immediate Actions Required
- Upgrade Open ISES Tickets to version 3.44.2 or later, available at GitHub Release v3.44.2
- Audit all instances of $_GET and $_POST usage in custom modifications to ensure values are encoded before being printed in HTML
- Rotate session identifiers and review audit logs for suspicious ticket activity from authenticated users
Patch Information
The upstream fix is delivered in commit ecfeb40 of the openises/tickets repository, included in release v3.44.2. The patch replaces direct printing of $_GET['ticket_id'] and $_POST['ticket_id'] with either intval() for numeric contexts or htmlspecialchars($value, ENT_QUOTES, 'UTF-8') for string contexts. See the VulnCheck Advisory: Reflected XSS for full technical details.
Workarounds
- Place a web application firewall in front of the application and block requests containing HTML metacharacters in the ticket_id parameter
- Enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins
- Restrict authenticated access to the Open ISES Tickets application to trusted internal networks until the patch is applied
# Example: pull and deploy the patched release
git clone https://github.com/openises/tickets.git
cd tickets
git checkout v3.44.2
# Verify the fix is present in single.php and related files
grep -n "htmlspecialchars\|intval" single.php add.php add_facnote.php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
