CVE-2026-35016 Overview
CVE-2026-35016 is a reflected cross-site scripting (XSS) vulnerability in Open ISES Tickets versions before 3.44.2. The flaw exists in search.php, which passes the frm_query POST parameter directly into an HTML input field VALUE attribute without sanitization. Authenticated attackers can inject arbitrary JavaScript by crafting a malicious request containing a payload in the frm_query parameter. The script executes in the victim's browser when the request is submitted. The weakness is classified under CWE-79: Improper Neutralization of Input During Web Page Generation.
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in a victim's browser session, enabling session theft, credential harvesting, and unauthorized actions within the Open ISES Tickets application.
Affected Products
- Open ISES Tickets versions prior to 3.44.2
- search.php component processing the frm_query POST parameter
- Additional 22 files patched in the same release for related reflected XSS issues
Discovery Timeline
- 2026-05-20 - CVE-2026-35016 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-35016
Vulnerability Analysis
The vulnerability stems from unsafe handling of user-supplied input in search.php. The application reads the frm_query POST parameter and inserts the raw value into the VALUE attribute of an HTML <INPUT> element. Because PHP does not encode the value before output, an attacker can break out of the attribute context using a quote character followed by JavaScript event handlers or new tags. This is a reflected XSS pattern, meaning the payload is delivered through a crafted request and executed only in the requesting user's session.
The vendor's patch commit fixes 69 reflected XSS issues across 22 files. The fixes apply two distinct sanitization strategies depending on data type: numeric coercion with intval() for identifiers, and htmlspecialchars() encoding for free-form text.
Root Cause
The root cause is missing output encoding when reflecting user input into HTML attributes. The vulnerable code passes $_POST['frm_query'] and similar parameters directly to print statements inside attribute values, trusting client-supplied data.
Attack Vector
Exploitation requires an authenticated session and user interaction. An attacker crafts a request, or social-engineers a victim into submitting a form, that places a JavaScript payload in the frm_query parameter. The server echoes the payload into the rendered page, where the browser executes it in the application's origin.
// Patch example from add.php — integer coercion for numeric IDs
// Vulnerable:
<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print $_POST['ticket_id'];?>' />
// Fixed:
<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print intval($_POST['ticket_id']);?>' />
// Patch example from add_facnote.php — HTML entity encoding for text
// Vulnerable:
<INPUT TYPE='hidden' NAME='frm_ticket_id' VALUE='<?php print $_GET['ticket_id']; ?>' />
// Fixed:
<INPUT TYPE='hidden' NAME='frm_ticket_id' VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' />
Source: GitHub Commit ecfeb40
Detection Methods for CVE-2026-35016
Indicators of Compromise
- HTTP POST requests to search.php containing frm_query values with <script>, onerror=, onload=, or quote-breakout sequences such as '>.
- Web server access logs showing URL-encoded JavaScript payloads in the frm_query parameter.
- Browser console errors or unexpected outbound requests from authenticated user sessions to attacker-controlled domains.
Detection Strategies
- Inspect application access logs for POST bodies to search.php containing reserved HTML characters like ", <, >, or event handler keywords.
- Deploy a web application firewall (WAF) rule that flags reflected payloads where the request body content also appears in the response body.
- Review authenticated session activity for anomalous JavaScript execution patterns or unexpected cross-origin requests.
Monitoring Recommendations
- Enable HTTP request and response logging on the web server fronting Open ISES Tickets and forward logs to a centralized analytics platform.
- Monitor for spikes in authenticated traffic to search.php originating from a single source IP or session token.
- Track Content Security Policy (CSP) violation reports if a restrictive CSP is deployed.
How to Mitigate CVE-2026-35016
Immediate Actions Required
- Upgrade Open ISES Tickets to version 3.44.2 or later, which contains fixes for all 69 reflected XSS issues across 22 files.
- Review and apply the upstream patch commit ecfeb40 if a binary upgrade is not yet feasible.
- Invalidate active user sessions after upgrading to ensure no in-flight exploitation persists through stored session tokens.
Patch Information
The vendor released Open ISES Tickets v3.44.2, which remediates the issue by applying intval() to numeric parameters and htmlspecialchars($value, ENT_QUOTES, 'UTF-8') to text parameters before echoing them into HTML attributes. Technical details are documented in the VulnCheck Advisory for XSS.
Workarounds
- Deploy a WAF rule that blocks POST requests to search.php where frm_query contains HTML metacharacters such as <, >, or ".
- Apply a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins.
- Restrict access to the Open ISES Tickets application to trusted networks or VPN users until the patch is applied.
# Example ModSecurity rule to block suspicious frm_query payloads
SecRule ARGS:frm_query "@rx (?i)(<script|onerror=|onload=|javascript:|'\s*>)" \
"id:1035016,phase:2,deny,status:403,log,\
msg:'CVE-2026-35016: Reflected XSS attempt in frm_query parameter'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
