CVE-2026-35016

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in search.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_query POST parameter directly into an HTML input field VALUE attribute. Attackers can craft a malicious request containing a JavaScript payload in the frm_query parameter that executes in the victim's browser when submitted.
Configurations

No configuration.

History

20 May 2026, 20:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-05-20 20:16

Updated : 2026-07-14 21:16


NVD link : CVE-2026-35016

Mitre link : CVE-2026-35016

CVE.ORG link : CVE-2026-35016


JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')