๐Ÿ” CVE Alert

CVE-2026-14871

UNKNOWN 0.0

osTicket v1.18.3 - v1.17.7 - BOLA/IDOR in ticket field viewing allows cross-department data disclosure

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization (BOLA) leading to Insecure Direct Object Reference (IDOR) in the AJAX ticket-management subsystem.

CWE CWE-863
Vendor osticket
Product osticket
Published Jul 17, 2026
Last Updated Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for osticket osticket

Be the first to know when new unknown vulnerabilities affecting osticket osticket are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

osTicket / osTicket
v1.18.3 v1.17.7

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
fluidattacks.com: https://fluidattacks.com/advisories/kyokai medium.com: https://medium.com/p/1abb8be847e6 github.com: https://github.com/osTicket/osTicket/ github.com: https://github.com/osTicket/osTicket/releases/tag/v1.18.4 github.com: https://github.com/osTicket/osTicket/releases/tag/v1.17.8

Credits

Juan Felipe Osorio Z