CVE-2026-35012 Overview
CVE-2026-35012 is a reflected cross-site scripting (XSS) vulnerability [CWE-79] in Open ISES Tickets versions before 3.44.2. The flaw exists in add_facnote.php, where the ticket_id GET parameter is passed directly into the VALUE attribute of a hidden input field without sanitization. Authenticated attackers can craft a malicious URL containing a JavaScript payload that executes in the victim's browser when the URL is visited.
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in the context of an authenticated user's session, enabling session manipulation, content injection, and theft of in-browser data.
Affected Products
- Open ISES Tickets versions prior to 3.44.2
- add_facnote.php component handling the ticket_id GET parameter
- Additional files patched in the same commit addressing 69 reflected XSS issues across 22 files
Discovery Timeline
- 2026-05-20 - CVE-2026-35012 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-35012
Vulnerability Analysis
The vulnerability is a reflected XSS issue in the Open ISES Tickets PHP application. The add_facnote.php script reads the ticket_id value from $_GET and prints it directly into the VALUE attribute of a hidden INPUT element. Because the value is rendered inside an attribute delimited by single quotes, an attacker who supplies a payload containing a single quote can break out of the attribute context and inject additional HTML or JavaScript.
The vulnerability requires an authenticated user to follow a crafted URL. Once visited, the injected script runs within the application origin and can access session cookies, perform actions on behalf of the user, or manipulate the rendered page. Related code patterns in add.php exhibited the same defect with the ticket_id value sourced from $_POST.
Root Cause
The root cause is missing output encoding when reflecting user-controlled request parameters into HTML attribute context. The application trusted the ticket_id parameter and used it verbatim in print statements, leaving the attribute boundary character exploitable.
Attack Vector
An attacker delivers a crafted URL to an authenticated user. The URL contains a JavaScript payload in the ticket_id query parameter. When the user requests add_facnote.php with the malicious value, the server reflects the payload into the page and the browser executes it.
// Vulnerable code in add_facnote.php (before patch)
<INPUT TYPE='hidden' NAME='frm_ticket_id' VALUE='<?php print $_GET['ticket_id']; ?>' />
// Patched code in add_facnote.php (v3.44.2)
<INPUT TYPE='hidden' NAME='frm_ticket_id' VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' />
// Vulnerable code in add.php (before patch)
<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print $_POST['ticket_id'];?>' />
// Patched code in add.php (v3.44.2) - casts to integer
<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print intval($_POST['ticket_id']);?>' />
Source: GitHub commit ecfeb40
Detection Methods for CVE-2026-35012
Indicators of Compromise
- Web server access logs showing requests to add_facnote.php with suspicious ticket_id values containing single quotes, angle brackets, or JavaScript keywords such as onerror, onload, script, or javascript:.
- URL-encoded payloads in the ticket_id parameter (for example %27, %3E, %3C).
- Referer headers indicating users arrived at add_facnote.php from external or untrusted origins.
Detection Strategies
- Inspect HTTP request logs for non-numeric values supplied to the ticket_id parameter, since the patched add.php enforces integer values via intval().
- Deploy a Web Application Firewall (WAF) rule that flags attribute-breaking characters in ticket_id query strings targeting Open ISES Tickets endpoints.
- Run static analysis on PHP source to identify uses of $_GET or $_POST rendered into HTML attributes without htmlspecialchars().
Monitoring Recommendations
- Forward web server and application logs to a centralized logging platform and alert on anomalous query parameters reaching add_facnote.php.
- Monitor browser-side errors or Content Security Policy (CSP) violation reports referencing the Open ISES Tickets origin.
- Track outbound requests from authenticated sessions to attacker-controlled domains shortly after visiting ticket URLs.
How to Mitigate CVE-2026-35012
Immediate Actions Required
- Upgrade Open ISES Tickets to version 3.44.2 or later, which applies htmlspecialchars() and intval() sanitization across the 22 affected files.
- Audit all custom modifications to add_facnote.php and related ticket handlers for unsanitized reflection of request parameters.
- Revoke and rotate active session cookies for users who may have visited untrusted URLs targeting the application.
Patch Information
The vendor fix is included in the Open ISES Tickets v3.44.2 release. The patch, documented in GitHub commit ecfeb40, addresses 69 reflected XSS vulnerabilities across 22 files by applying htmlspecialchars($value, ENT_QUOTES, 'UTF-8') to reflected values and using intval() for numeric identifiers. Additional context is available in the VulnCheck advisory.
Workarounds
- Place the application behind a WAF and block requests where ticket_id contains non-numeric characters.
- Enforce a restrictive Content Security Policy (CSP) header that disallows inline script execution to limit payload impact.
- Restrict access to the ticketing application using network controls or VPN until the patched version is deployed.
# Example nginx rule to block non-numeric ticket_id values
location /add_facnote.php {
if ($arg_ticket_id !~ "^[0-9]+$") {
return 400;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
