CVE-2026-48241

Published: Mag 21, 2026 Last Modified: Mag 21, 2026
ExploitDB:
Other exploit source:
Google Dorks:
CRITICAL 9,2
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
HIGH 8,1
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high

Description

AI Translation Available

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php (a public-facing database utility) that are committed to the source repository. Any actor with access to the public source tree (or an unauthenticated attacker with read access to the file on a deployed installation) can read the username, password, and database name and use them to connect to the database if it is reachable from their network.

798

Use of Hard-coded Credentials

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control Integrity Confidentiality Availability Other
Potential Impacts:
Bypass Protection Mechanism Read Application Data Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands Other
Applicable Platforms
Technologies: Mobile, ICS/OT
Likelihood of Exploit: High
View CWE Details
https://github.com/openises/tickets/commit/ecfeb406a016766c…
https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2…
https://github.com/openises/tickets/releases/tag/v3.44.2
https://github.com/openises/tickets/releases/tag/v3.44.2
https://www.vulncheck.com/advisories/open-ises-tickets-hard…
https://www.vulncheck.com/advisories/open-ises-tickets-hardcoded-mysql-credenti…