Vulnerability Description
Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for general-purpose outbound HTTPS requests issued by the shared helper functions. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2d
- https://github.com/openises/tickets/releases/tag/v3.44.2
- https://www.vulncheck.com/advisories/open-ises-tickets-disabled-tls-certificate-
FAQ
What is CVE-2026-48247?
CVE-2026-48247 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outboun...
How severe is CVE-2026-48247?
CVE-2026-48247 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-48247?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.