CVE-2026-35010 Overview
CVE-2026-35010 is a reflected cross-site scripting (XSS) vulnerability in Open ISES Tickets versions before 3.44.2. The flaw resides in patient_JF.php, which passes the ticket_id GET parameter directly into a JavaScript variable assignment without sanitization. Authenticated attackers can craft a malicious URL containing a JavaScript payload that executes in the victim's browser when the link is visited. The issue is tracked under [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in the context of a victim's authenticated session, enabling session manipulation, data theft, or unauthorized actions within the Open ISES Tickets application.
Affected Products
- Open ISES Tickets versions prior to 3.44.2
- patient_JF.php endpoint accepting the ticket_id GET parameter
- Deployments exposing the Open ISES Tickets web interface to authenticated users
Discovery Timeline
- 2026-05-20 - CVE-2026-35010 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-35010
Vulnerability Analysis
The vulnerability is a reflected XSS issue in the patient_JF.php script of Open ISES Tickets. The application reads the ticket_id query parameter from the request and embeds its value directly into a client-side JavaScript variable assignment in the rendered HTML response. Because the value is neither HTML-encoded nor JavaScript-escaped, attacker-supplied content breaks out of the intended string context and executes as code in the victim's browser.
Exploitation requires the victim to be authenticated and to load a crafted URL. User interaction is required, which constrains real-world attack scenarios to social engineering or chained delivery via trusted internal channels. Once executed, the payload runs with the privileges of the victim's browser session, including access to cookies, the Document Object Model (DOM), and any API endpoints reachable through the session.
Root Cause
The root cause is missing output encoding when the ticket_id GET parameter is rendered inside a JavaScript context within patient_JF.php. The application trusts URL-supplied input and reflects it into executable script without server-side sanitization or context-aware escaping. The upstream fix in version 3.44.2 addresses this via the commit referenced in the GitHub Commit Update.
Attack Vector
The attack is delivered over the network. An attacker constructs a URL targeting patient_JF.php with a JavaScript payload in the ticket_id parameter. The attacker then lures an authenticated user to click the link via email, chat, or another web page. When the victim's browser loads the response, the injected script executes inline. Refer to the VulnCheck Security Advisory for additional technical context.
Detection Methods for CVE-2026-35010
Indicators of Compromise
- HTTP GET requests to patient_JF.php with ticket_id parameter values containing JavaScript keywords such as <script>, alert(, onerror=, or document.cookie.
- URL-encoded payload patterns in ticket_id such as %3Cscript%3E or %22%3B indicating attempts to break out of the JavaScript string context.
- Web server access logs showing unusually long or syntactically irregular ticket_id values originating from external referrers.
Detection Strategies
- Inspect web server and application logs for patient_JF.php requests where ticket_id deviates from expected numeric or alphanumeric identifier formats.
- Deploy a Web Application Firewall (WAF) rule that flags reflected XSS signatures targeting the ticket_id parameter.
- Correlate suspicious URL clicks in email gateways with subsequent authenticated sessions accessing patient_JF.php.
Monitoring Recommendations
- Enable Content Security Policy (CSP) violation reporting to capture inline script execution attempts in production.
- Monitor outbound browser traffic from authenticated user sessions for unexpected requests to external domains that could indicate cookie exfiltration.
- Track version inventory of Open ISES Tickets deployments to confirm all instances are running 3.44.2 or later.
How to Mitigate CVE-2026-35010
Immediate Actions Required
- Upgrade Open ISES Tickets to version 3.44.2 or later using the GitHub Release Version 3.44.2.
- Restrict access to the Open ISES Tickets application to trusted networks or via VPN until patching is complete.
- Notify authenticated users of the active phishing risk and instruct them not to click unsolicited links referencing ticket identifiers.
Patch Information
The vendor released a fix in version 3.44.2. The patch sanitizes the ticket_id parameter before rendering it in the JavaScript context of patient_JF.php. Review the upstream change in the GitHub Commit Update and validate the deployed version after upgrade.
Workarounds
- Deploy a WAF rule that rejects requests to patient_JF.php where ticket_id contains characters outside the expected identifier character set.
- Apply a strict Content Security Policy that disallows inline script execution to reduce the impact of reflected XSS payloads.
- Restrict the application behind authentication proxies that enforce referrer checks and short-lived session cookies.
# Example WAF rule (ModSecurity) to block suspicious ticket_id values
SecRule ARGS:ticket_id "@rx (?i)(<script|javascript:|onerror=|onload=|%3Cscript)" \
"id:1003501,phase:2,deny,status:403,log,msg:'CVE-2026-35010 XSS attempt on patient_JF.php'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
