What is GHSA-3r6v-wcmw-ghxc?

GHSA-3r6v-wcmw-ghxc is a security advisory published by GitHub Security Advisories with High severity. Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php...

Which CVE IDs does GHSA-3r6v-wcmw-ghxc cover?

GHSA-3r6v-wcmw-ghxc covers the following CVE IDs: CVE-2026-48235. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-3r6v-wcmw-ghxc?

GHSA-3r6v-wcmw-ghxc has a CVSS v3 base score of 8.2, published by GitHub Security Advisories.

GHSA-3r6v-wcmw-ghxcHighCVSS 8.2

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php...

Vendor

GitHub Security Advisories

Published

May 21, 2026

Last Modified

May 21, 2026

🔗 CVE IDs covered (1)

CVE-2026-48235 →

📋 Description

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are concatenated into UPDATE and INSERT statements without sanitization. An attacker able to compromise or impersonate the remote GPS tracker endpoint can inject SQL to manipulate the responder location, tracks, and assignment tables.

🔗 References (5)

https://nvd.nist.gov/vuln/detail/CVE-2026-48235
https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff
https://github.com/openises/tickets/releases/tag/v3.44.2
https://www.vulncheck.com/advisories/open-ises-tickets-sql-injection-via-incs-remotes-inc-php-multiple-parameters
https://github.com/advisories/GHSA-3r6v-wcmw-ghxc