CVE-2026-22200
published 2026-01-12CVE-2026-22200: Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export…
PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
73.13%
99.4th percentile
Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| enhancesoft | osticket | >= 1.17 < 1.17.7 | 1.17.7 |
| enhancesoft | osticket | >= 1.17.0 < 1.17.7 | 1.17.7 |
| enhancesoft | osticket | >= 1.18 < 1.18.3 | 1.18.3 |
| enhancesoft | osticket | >= 1.18.0 < 1.18.3 | 1.18.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring POST requests to /open.php containing PHP filter chain URIs (php://filter) in the message body, particularly within img srcset attributes. ↗
- →Monitor for crafted rich-text HTML submissions to osTicket ticket creation endpoints that include PHP filter expressions (php://filter) in img src or srcset fields. ↗
- →Alert on PDF export requests for tickets that were submitted with img tags containing php://filter URIs, as the file read occurs at export time. ↗
- →The Nuclei detection template checks for HTTP 200 responses to POST /open.php that reflect back srcset values containing the canary domain PATCH_DETECT_7f3a9b2e.example.com. ↗
- →The vulnerability is exploitable in default configurations where guests may create tickets — monitor unauthenticated ticket submissions to /open.php for PHP filter chain payloads. ↗
- →The Metasploit module targets both /scp/ (staff panel) and the client portal; monitor login attempts followed by ticket PDF export actions on both paths. ↗
- ·The Metasploit module description states 'Authentication is required', which contradicts the NVD description that exploitation is possible in default guest/self-registration configurations. Operators should validate whether guest ticket creation paths are also exploitable without credentials. ↗
- ·The vulnerability affects osTicket 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 only; detections should be scoped to these version ranges. ↗
- ·The file read is triggered at PDF export time, not at ticket submission time — detection must cover both the initial crafted submission and the subsequent PDF export request to catch the full attack chain. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
osTicket - Arbitrary File Read
nuclei·CVSS 8.7
CVE-2026-22200 [HIGH] osTicket - Arbitrary File Read
osTicket - Arbitrary File Read
Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is ena
Metasploit
osTicket Arbitrary File Read via PHP Filter Chains in mPDF
metasploit·CVSS 8.7
CVE-2026-22200 [HIGH] osTicket Arbitrary File Read via PHP Filter Chains in mPDF
osTicket Arbitrary File Read via PHP Filter Chains in mPDF
This module exploits an arbitrary file read vulnerability in osTicket (CVE-2026-22200). The vulnerability exists in osTicket's PDF export functionality which uses mPDF. By injecting a specially crafted HTML payload containing PHP filter chain URIs into a ticket reply, an attacker can read arbitrary files from the server when the ticket is exported to PDF. The PHP filter chain constructs a BMP image header that is prepended to the target file contents. When mPDF renders the ticket as a PDF, it processes the php://filter URI, reads the target file, and embeds it as a bitmap image in the resulting PDF. The module then extracts the file contents from the PDF. Authentication is required. The module supports both staff panel (/scp/) and
https://github.com/osTicket/osTicket/commit/c59b067https://github.com/osTicket/osTicket/releases/tag/v1.17.7https://github.com/osTicket/osTicket/releases/tag/v1.18.3https://horizon3.ai/attack-research/attack-blogs/ticket-to-shell-exploiting-php-filters-and-cnext-in-osticket-cve-2026-22200/https://www.vulncheck.com/advisories/osticket-pdf-export-arbitrary-file-read
2026-01-12
Published