CVE-2026-35011 Overview
CVE-2026-35011 is a reflected cross-site scripting (XSS) vulnerability in Open ISES Tickets versions before 3.44.2. The flaw resides in opena.php, which passes the frm_call GET parameter directly into page output without sanitization. Authenticated attackers can craft a URL containing a JavaScript payload that executes in the victim's browser when the link is visited. The issue is classified under CWE-79: Improper Neutralization of Input During Web Page Generation.
Critical Impact
An authenticated attacker can execute arbitrary JavaScript in a victim's browser session, enabling session token theft, UI manipulation, and actions performed in the victim's context within the Open ISES Tickets application.
Affected Products
- Open ISES Tickets versions prior to 3.44.2
- The opena.php endpoint handling the frm_call GET parameter
- Related files patched in the same commit (22 files containing 69 reflected XSS sinks)
Discovery Timeline
- 2026-05-20 - CVE-2026-35011 published to the National Vulnerability Database (NVD)
- 2026-05-20 - Last updated in NVD database
- Vendor fix - Released in Open ISES Tickets v3.44.2
Technical Details for CVE-2026-35011
Vulnerability Analysis
The vulnerability stems from opena.php echoing the frm_call GET parameter directly into the HTML response without applying output encoding. Because the parameter value is reflected into the rendered page, an attacker controls a portion of the DOM. A crafted URL with a JavaScript payload triggers script execution in the victim's browser when the victim follows the link while authenticated.
The upstream fix addresses 69 reflected XSS sinks across 22 files in the application. The remediation approach replaces unsafe parameter echoes with PHP sanitization primitives, including intval() for numeric values and htmlspecialchars() with ENT_QUOTES and UTF-8 for string values. This pattern indicates the application historically lacked centralized input handling.
Root Cause
Open ISES Tickets writes user-controlled GET parameters into HTML attributes and body content without contextual escaping. The frm_call parameter in opena.php is one of many sinks where request data crosses directly into rendered output. The absence of output encoding lets attackers break out of the surrounding HTML context and inject <script> tags or event handlers.
Attack Vector
Exploitation requires authentication and user interaction. An attacker crafts a URL such as opena.php?frm_call=<payload> and convinces an authenticated user to visit it. Because the application reflects the payload into the response, the script runs under the victim's origin and session. Typical impact includes session cookie exfiltration, CSRF token theft, and unauthorized actions performed via the victim's authenticated session.
// Vulnerable pattern (pre-3.44.2) — parameter reflected without encoding
<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print $_POST['ticket_id'];?>' />
// Patched pattern in add.php — integer coercion for numeric parameters
<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print intval($_POST['ticket_id']);?>' />
// Patched pattern in add_facnote.php — HTML entity encoding for string parameters
<INPUT TYPE = 'hidden' NAME = 'frm_ticket_id' VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' />
Source: GitHub commit ecfeb40
Detection Methods for CVE-2026-35011
Indicators of Compromise
- HTTP requests to opena.php containing script tags, javascript: URIs, or HTML event handlers in the frm_call query parameter
- URL-encoded payload fragments such as %3Cscript%3E, onerror=, or onload= appearing in web server access logs
- Referrer headers from external domains pointing users to Open ISES Tickets URLs with abnormal query strings
Detection Strategies
- Inspect web server and application logs for GET requests to opena.php where frm_call contains angle brackets, quotes, or script-related keywords
- Deploy a web application firewall (WAF) rule that blocks reflected XSS patterns on the frm_call parameter
- Apply Content Security Policy (CSP) reporting to surface inline script execution attempts on Open ISES Tickets pages
Monitoring Recommendations
- Forward Open ISES Tickets web logs to a centralized log analytics platform and alert on anomalous query string lengths or encoded payload markers
- Correlate suspicious opena.php requests with subsequent authenticated user actions to identify potential session abuse
- Track outbound requests from end-user browsers to unfamiliar domains following access to Open ISES Tickets URLs
How to Mitigate CVE-2026-35011
Immediate Actions Required
- Upgrade Open ISES Tickets to version 3.44.2 or later, which contains the comprehensive XSS fix
- Restrict access to the Open ISES Tickets application to trusted networks until the upgrade is complete
- Notify authenticated users to avoid clicking unsolicited links that reference the application
Patch Information
The vendor released a fix in Open ISES Tickets v3.44.2. The patch is documented in GitHub commit ecfeb40 and addresses 69 reflected XSS vulnerabilities across 22 files. Additional context is available in the VulnCheck security advisory.
Workarounds
- Deploy WAF signatures that block reflected XSS payloads targeting the frm_call GET parameter on opena.php
- Enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins
- Configure session cookies with HttpOnly and SameSite=Strict attributes to limit theft and cross-site delivery of malicious URLs
# Example ModSecurity rule to block script-like payloads on frm_call
SecRule ARGS:frm_call "@rx (?i)(<script|javascript:|onerror=|onload=|<svg)" \
"id:1026035011,phase:2,deny,status:403,\
msg:'CVE-2026-35011: Reflected XSS attempt against opena.php frm_call'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
