CVE-2026-22200
Published: 12 January 2026
Summary
CVE-2026-22200 is a high-severity Injection (CWE-74) vulnerability in Enhancesoft Osticket. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. The flaw arises when rich-text HTML containing PHP filter expressions is insufficiently sanitized before processing by the mPDF library, allowing the generated PDF to embed contents of arbitrary server files as bitmap images readable by the osTicket application user. The issue is tracked as CWE-74 and carries a CVSS 4.0 score of 8.7 reflecting network-accessible confidentiality impact without authentication requirements.
A remote attacker can exploit the weakness in default configurations that permit guest ticket creation or self-registration. By submitting a crafted ticket and triggering PDF export, the attacker obtains disclosure of sensitive local files such as configuration data or source code without needing prior credentials or elevated privileges.
Public references point to official patches released in osTicket v1.17.7 and v1.18.3, along with the corresponding commit that addresses input sanitization in the PDF export path. Administrators are advised to upgrade promptly and restrict guest access where feasible.
EPSS scores for the vulnerability reached a peak of 0.7537 on 2026-04-09 before receding to the current value of 0.6687, indicating measurable post-disclosure interest. Independent research publications have examined chaining opportunities beyond the initial file read.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1918
Vulnerability details
Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions…
more
which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file read via unauthenticated exploitation of public-facing web app PDF export directly enables T1190 and T1005.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of rich-text HTML input containing PHP filter expressions before mPDF PDF export processing.
Enforces access restrictions so that only authorized users—not unauthenticated guests—can create tickets or trigger PDF exports that leak files.
Controls information flows to block unauthorized embedding of arbitrary server file contents into generated PDF output.