Cyber Resilience

CVE-2026-22200

HighPublic PoC

Published: 12 January 2026

Published
12 January 2026
Modified
27 January 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.7312 99.4th percentile
Risk Priority 80 floored blend · peak EPSS

Summary

CVE-2026-22200 is a high-severity Injection (CWE-74) vulnerability in Enhancesoft Osticket. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. The flaw arises when rich-text HTML containing PHP filter expressions is insufficiently sanitized before processing by the mPDF library, allowing the generated PDF to embed contents of arbitrary server files as bitmap images readable by the osTicket application user. The issue is tracked as CWE-74 and carries a CVSS 4.0 score of 8.7 reflecting network-accessible confidentiality impact without authentication requirements.

A remote attacker can exploit the weakness in default configurations that permit guest ticket creation or self-registration. By submitting a crafted ticket and triggering PDF export, the attacker obtains disclosure of sensitive local files such as configuration data or source code without needing prior credentials or elevated privileges.

Public references point to official patches released in osTicket v1.17.7 and v1.18.3, along with the corresponding commit that addresses input sanitization in the PDF export path. Administrators are advised to upgrade promptly and restrict guest access where feasible.

EPSS scores for the vulnerability reached a peak of 0.7537 on 2026-04-09 before receding to the current value of 0.6687, indicating measurable post-disclosure interest. Independent research publications have examined chaining opportunities beyond the initial file read.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions…

more

which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Arbitrary file read via unauthenticated exploitation of public-facing web app PDF export directly enables T1190 and T1005.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25814Shared CWE-74
CVE-2026-27727Shared CWE-74
CVE-2026-7770Shared CWE-74
CVE-2022-31631Shared CWE-74
CVE-2026-26002Shared CWE-74
CVE-2026-2019Shared CWE-74
CVE-2026-32695Shared CWE-74
CVE-2024-39604Shared CWE-74
CVE-2026-45344Shared CWE-74
CVE-2025-64428Shared CWE-74

Affected Assets

enhancesoft
osticket
1.17 — 1.17.7 · 1.18 — 1.18.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of rich-text HTML input containing PHP filter expressions before mPDF PDF export processing.

prevent

Enforces access restrictions so that only authorized users—not unauthenticated guests—can create tickets or trigger PDF exports that leak files.

prevent

Controls information flows to block unauthorized embedding of arbitrary server file contents into generated PDF output.

References