CVE-2026-14871
osTicket v1.18.3 - v1.17.7 - BOLA/IDOR in ticket field viewing allows cross-department data disclosure
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization (BOLA) leading to Insecure Direct Object Reference (IDOR) in the AJAX ticket-management subsystem.
| CWE | CWE-863 |
| Vendor | osticket |
| Product | osticket |
| Published | Jul 17, 2026 |
| Last Updated | Jul 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for osticket osticket
Be the first to know when new unknown vulnerabilities affecting osticket osticket are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
osTicket / osTicket
v1.18.3 v1.17.7
References
Credits
Juan Felipe Osorio Z