Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form action URL. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48227.json",
"cwe_ids": [
"CWE-79"
],
"cna_assigner": "VulnCheck"
}