← All CVEs

CVE-2026-48241

CRITICAL 9.2

Published 2026-05-21 · Last modified 2026-05-21

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php (a public-facing database utility) that are committed to the source repository. Any actor with access to the public source tree (or an unauthenticated attacker with read access to the file on a deployed installation) can read the username, password, and database name and use them to connect to the database if it is reachable from their network.

ELEVATED IMPACT

Severe if exploited (CVSS 9.2), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

0.3%chance of exploitation in 30 days · 22nd percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

9.2CVSS 4.0 · CRITICAL

  • ConfidentialityHigh
  • IntegrityHigh
  • AvailabilityHigh

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: No account or privileges required
  • User interaction: No user interaction needed
  • Complexity: Needs a race window or specific setup
  • Requirements: No special attack requirements

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Open Ises

Products Tickets

Weakness (CWE)

  • CWE-798: Hard-coded credentials

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Sources: NVD · CVE.org · EPSS