CVE-2026-22200
CVE-2026-22200 is a high-severity vulnerability in Enhancesoft Osticket with a CVSS 3.x base score of 7.5. Its EPSS exploit-prediction score of 73% places it in the 99th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-74.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v4: 8.7
- EPSS exploit prediction: 73% (99th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-1918
- Weakness: CWE-74
- Affected product: Enhancesoft Osticket
- Published:
- Last modified:
Description
Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.
Frequently asked questions
- What is CVE-2026-22200?
- Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.
- How severe is CVE-2026-22200?
- CVE-2026-22200 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2026-22200 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 73% (99th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-22200?
- CVE-2026-22200 affects Enhancesoft Osticket. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-22200?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-22200 have an EU (EUVD) identifier?
- Yes. CVE-2026-22200 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-1918.
- When was CVE-2026-22200 published?
- CVE-2026-22200 was published on 2026-01-12 and last updated on 2026-06-17.
References
- https://github.com/osTicket/osTicket/commit/c59b067
- https://github.com/osTicket/osTicket/releases/tag/v1.17.7
- https://github.com/osTicket/osTicket/releases/tag/v1.18.3
- https://horizon3.ai/attack-research/attack-blogs/ticket-to-shell-exploiting-php-filters-and-cnext-in-osticket-cve-2026-22200/
- https://www.vulncheck.com/advisories/osticket-pdf-export-arbitrary-file-read
Affected products (1)
- cpe:2.3:a:enhancesoft:osticket:*:*:*:*:*:*:*:*
More vulnerabilities in Enhancesoft Osticket
- CVE-2021-42235 — Critical (CVSS 9.8): SQL injection in osTicket before 1.14.8 and 1.15.4 login and password reset process allows attackers to access the…
- CVE-2022-31888 — High (CVSS 8.8): Session Fixation vulnerability in in function login in class.auth.php in osTicket through 1.16.2.
- CVE-2023-30082 — High (CVSS 7.5): A denial of service attack might be launched against the server if an unusually lengthy password (more than 10000000…
- CVE-2021-45811 — Medium (CVSS 6.5): A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket 1.15.x allows…
- CVE-2023-46967 — Medium (CVSS 6.1): Cross Site Scripting vulnerability in the sanitize function in Enhancesoft osTicket 1.18.0 allows a remote attacker to…
- CVE-2023-1320 — Medium (CVSS 6.1): Cross-site Scripting (XSS) - Stored in GitHub repository osticket/osticket prior to v1.16.6.
All CVEs affecting Enhancesoft Osticket →
Other CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities
- CVE-2026-25586 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty…
- CVE-2026-25520 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped.…
- CVE-2025-20265 — Critical (CVSS 10.0): A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2025-20337 — Critical (CVSS 10.0): A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2025-20281 — Critical (CVSS 10.0): A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2024-42472 — Critical (CVSS 10.0): Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious…
Browse all CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities →