CVE-2026-48241

Description

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php (a public-facing database utility) that are committed to the source repository. Any actor with access to the public source tree (or an unauthenticated attacker with read access to the file on a deployed installation) can read the username, password, and database name and use them to connect to the database if it is reachable from their network.

References

• https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff
• https://github.com/openises/tickets/releases/tag/v3.44.2
• https://www.vulncheck.com/advisories/open-ises-tickets-hardcoded-mysql-credentials-in-loader-php