← All CVEs

CVE-2026-48246

HIGH 8.2

Published 2026-05-21 · Last modified 2026-05-21

Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for Google Maps Directions API lookups during incident report generation. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.

ELEVATED IMPACT

Severe if exploited (CVSS 8.2), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

0.2%chance of exploitation in 30 days · 7th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

8.2CVSS 4.0 · HIGH

  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityNone

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: No account or privileges required
  • User interaction: No user interaction needed
  • Complexity: Needs a race window or specific setup
  • Requirements: No special attack requirements

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Open Ises

Products Tickets

Weakness (CWE)

  • CWE-295: Improper certificate validation

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Sources: NVD · CVE.org · EPSS