cbcvebase.
CVE-2026-22200
published 2026-01-12

CVE-2026-22200: Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export…

PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
73.13%
99.4th percentile
Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.

Affected

4 ranges
VendorProductVersion rangeFixed in
enhancesoftosticket>= 1.17 < 1.17.71.17.7
enhancesoftosticket>= 1.17.0 < 1.17.71.17.7
enhancesoftosticket>= 1.18 < 1.18.31.18.3
enhancesoftosticket>= 1.18.0 < 1.18.31.18.3

Detection & IOCsextracted from sources · hover to see the quote

pathmodules/auxiliary/gather/osticket_arbitrary_file_read.rb
url/open.php
path/etc/passwd
pathinclude/ost-config.php
otherphp://filter
urlPOST /open.php HTTP/1.1
path/scp/
  • Detect exploitation attempts by monitoring POST requests to /open.php containing PHP filter chain URIs (php://filter) in the message body, particularly within img srcset attributes.
  • Monitor for crafted rich-text HTML submissions to osTicket ticket creation endpoints that include PHP filter expressions (php://filter) in img src or srcset fields.
  • Alert on PDF export requests for tickets that were submitted with img tags containing php://filter URIs, as the file read occurs at export time.
  • The Nuclei detection template checks for HTTP 200 responses to POST /open.php that reflect back srcset values containing the canary domain PATCH_DETECT_7f3a9b2e.example.com.
  • The vulnerability is exploitable in default configurations where guests may create tickets — monitor unauthenticated ticket submissions to /open.php for PHP filter chain payloads.
  • The Metasploit module targets both /scp/ (staff panel) and the client portal; monitor login attempts followed by ticket PDF export actions on both paths.
  • ·The Metasploit module description states 'Authentication is required', which contradicts the NVD description that exploitation is possible in default guest/self-registration configurations. Operators should validate whether guest ticket creation paths are also exploitable without credentials.
  • ·The vulnerability affects osTicket 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 only; detections should be scoped to these version ranges.
  • ·The file read is triggered at PDF export time, not at ticket submission time — detection must cover both the initial crafted submission and the subsequent PDF export request to catch the full attack chain.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.