Vulnerability Description
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are concatenated into UPDATE and INSERT statements without sanitization. An attacker able to compromise or impersonate the remote GPS tracker endpoint can inject SQL to manipulate the responder location, tracks, and assignment tables.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2d
- https://github.com/openises/tickets/releases/tag/v3.44.2
- https://www.vulncheck.com/advisories/open-ises-tickets-sql-injection-via-incs-re
FAQ
What is CVE-2026-48235?
CVE-2026-48235 is a vulnerability with a CVSS score of 8.2 (HIGH). Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS trackin...
How severe is CVE-2026-48235?
CVE-2026-48235 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-48235?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.