CVE-2026-48243
6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited against the original owner's WhitePages account.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Open ISES | Tickets | 0 < 3.44.2 | affected |
Weaknesses
- CWE-798: Use of Hard-coded Credentials
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/openises/tickets/releases/tag/v3.44.2
- https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff
- https://www.vulncheck.com/advisories/open-ises-tickets-hardcoded-whitepages-api-key-in-wp1-php
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.