CVE-2026-22200 Scanner

osTicket is a widely used open-source support ticket management system that enables customers to create tickets online via email or web forms, and effectively tracks and manages inquiries. It is used by various organizations and service providers to streamline customer support processes. The software supports ticket assignments, alerts, and collaboration between departments, ensuring efficient case resolution. It is primarily used in environments where customer service is a priority, such as help desks, IT support teams, and service departments. As a modular and customizable platform, osTicket can be easily adapted to suit the needs of different businesses, with features like automated workflows, custom fields, and detailed reporting. Its popularity stems from its balance of ease of use and functionality, making it a preferred choice for handling customer support queries.

This scanner detects an arbitrary file read vulnerability present in earlier versions of osTicket, specifically before 1.18.3 in the 1.18.x series and before 1.17.7 in the 1.17.x series. This vulnerability arises within the ticket PDF export functionality, where attackers can exploit the insufficient sanitization of crafted rich-text HTML inputs. By leveraging PHP filter expressions, attackers can generate a PDF that embeds server-local files as bitmap images. This can lead to the disclosure of sensitive files stored on the server hosting the osTicket instance. Proper awareness and mitigation are crucial to prevent data breaches stemming from this exposure.

The vulnerability lies at the point where the mPDF PDF generator processes ticket export functionality. Specifically, the system fails to adequately sanitize maliciously crafted content submitted through ticket creation, which can be exploited to include PHP filter expressions. These crafted inputs allow unauthorized integration of local file content into the document. Such unauthorized access to the server filesystem enables attackers to view sensitive information, especially when the configuration allows unauthenticated ticket creation or self-registration features are enabled, adding risk in exploit scenarios.

If exploited, the arbitrary file read vulnerability can lead to significant data breaches and disclosure of confidential information within the osTicket instance. As attackers can access sensitive files without proper authorization, organizations risk exposure of critical data, potentially leading to privacy violations, regulatory non-compliance, and reputational damage. Moreover, the exploitation could assist attackers in lateral movement, gaining further access to internal systems and escalating their exposure impact. This highlights the importance of addressing the vulnerability promptly and implementing security best practices to safeguard against such threats.

REFERENCES

• https://horizon3.ai/attack-research/attack-blogs/ticket-to-shell-exploiting-php-filters-and-cnext-in-osticket-cve-2026-22200/
• https://github.com/horizon3ai/CVE-2026-22200/blob/main/check.py
• https://nvd.nist.gov/vuln/detail/CVE-2026-22200