CVE-2026-48240

Open ISES Tickets ≤ 3.44.2 contains a SQL injection in ajax/statistics.php where POST tick_id and f_tick_id are concatenated into WHERE clauses of statistics rollup queries without sanitization. This allows authenticated users to alter query semantics and read/modify/destroy database contents. A ...