CVE-2026-22200
Published: 12 January 2026
Summary
CVE-2026-22200 is a high-severity Injection (CWE-74) vulnerability in Enhancesoft Osticket. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the root cause by requiring validation and sanitization of crafted rich-text HTML inputs containing PHP filter expressions before processing by the mPDF PDF generator.
Mandates timely flaw remediation through vendor patches that fix the insufficient sanitization in osTicket's ticket PDF export functionality.
Enforces least privilege for the osTicket application user to restrict access to sensitive server filesystem files, limiting the scope of arbitrary file reads disclosed in generated PDFs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file read via unauthenticated exploitation of public-facing web app PDF export directly enables T1190 and T1005.
NVD Description
Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions…
more
which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.
Deeper analysisAI
Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 are affected by CVE-2026-22200, an arbitrary file read vulnerability in the ticket PDF export functionality. The issue stems from insufficient sanitization of crafted rich-text HTML in submitted tickets, which can include PHP filter expressions. These expressions are processed by the mPDF PDF generator during export, enabling the embedding of attacker-selected server filesystem files as bitmap images within the generated PDF. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-74 (Improper Neutralization of Special Elements used in an SQL Command).
A remote attacker can exploit this vulnerability by submitting a ticket with malicious HTML containing PHP filter expressions, which requires no privileges in default configurations allowing guest ticket creation and status access or self-registration. Upon exporting the ticket to PDF, the attacker receives a file that discloses sensitive local files readable by the osTicket application user, such as configuration files or other server data, without impacting integrity or availability.
Mitigation involves upgrading to osTicket 1.17.7 or 1.18.3, as detailed in the respective GitHub release notes and the patching commit c59b067. Advisories from VulnCheck and Horizon3.ai provide further technical details on exploitation and remediation, emphasizing sanitization improvements in the PDF generation process.
Details
- CWE(s)