CVE-2026-48249
Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in rm/incs/mobile_login.inc.php
CVSS Score
5.9
EPSS Score
0.0%
EPSS Percentile
0th
Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests issued during the mobile (RouteMate) login flow. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.
| CWE | CWE-295 |
| Vendor | open ises |
| Product | tickets |
| Published | May 21, 2026 |
| Last Updated | May 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for open ises tickets
Be the first to know when new medium vulnerabilities affecting open ises tickets are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
Open ISES / Tickets
0 < 3.44.2
References
github.com: https://github.com/openises/tickets/releases/tag/v3.44.2 github.com: https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff vulncheck.com: https://www.vulncheck.com/advisories/open-ises-tickets-disabled-tls-certificate-verification-in-rm-incs-mobile-login-inc-php