CVE-2026-22200

Exploit

EPSS 73.13%
Veröffentlicht 12.01.2026 18:34:12
Zuletzt bearbeitet 27.01.2026 20:27:55
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

osTicket (1.18.x < 1.18.3, 1.17.x < 1.17.7) PDF Export Arbitrary File Read

Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Enhancesoft ≫ Osticket Version >= 1.17 < 1.17.7

Enhancesoft ≫ Osticket Version >= 1.18 < 1.18.3

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	73.13%	0.994

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
disclosure@vulncheck.com	8.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

https://www.vulncheck.com/advisories/osticket-pdf-export-arbitrary-file-read

Third Party Advisory

https://github.com/osTicket/osTicket/commit/c59b067

Patch

https://github.com/osTicket/osTicket/releases/tag/v1.18.3

Release Notes

https://github.com/osTicket/osTicket/releases/tag/v1.17.7

Release Notes

https://horizon3.ai/attack-research/attack-blogs/ticket-to-shell-exploiting-php-filters-and-cnext-in-osticket-cve-2026-22200/

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-22200

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-22200

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-22200

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-22200