CVE-2025-10692
CVE-2025-10692 describes an SQL injection in OpenSupports 4.11.0 via POST /api/staff/get-new-tickets, where the user-supplied departmentId is concatenated into the SQL WHERE clause without parameter binding. An authenticated staff user (level ≥ 1) can alter filtering to access tickets outside the...