Current Cyber Threats

CVE-2026-22200 - osTicket PHP Filter Chain Injection Vulnerability

Summary:

CVE-2026-22200 is a critical PHP Filter Chain Injection vulnerability discovered by Horizon3.ai that affects Enhancesoft osTicket, a widely used open-source help desk and ticketing system.

As of early 2026, the vulnerability remains unpatched (0-day status), meaning all current deployments (including version 1.18.2) are potentially vulnerable in their default configurations.

CVE-2026-22200:

Enhancesoft osTicket versions up to and including 1.18.2 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.

  • Attack Vector: Remote / Anonymous (if self-registration or guest tickets are enabled).
  • Ease of Exploitation: High. In default configurations, any user can submit a ticket and view its status, providing the necessary access to trigger the exploit.

Impact:

The impact of this vulnerability ranges from sensitive data theft to full system compromise:

  1. Arbitrary File Read: Attackers can exfiltrate any file the web server has permission to access. This typically includes:
    • ost-config.php: Contains database credentials and the application's secret key.
    • System Files: /etc/ passwd (Linux) or sensitive configuration files on Windows.
  2. Remote Code Execution (RCE): On Linux hosts also vulnerable to CVE-2024-2961 (a glibc iconv vulnerability), this PHP filter injection can be escalated to execute arbitrary commands, allowing the attacker to install web shells and take full control of the server.
  3. Credential Theft (Windows): For osTicket instances running on Windows, the exploit can be used to trigger outbound SMB connections, allowing attackers to capture NTLMv2 hashes of the service account.
  4. Information Disclosure: Since ticketing systems often store internal tokens, customer data, and employee credentials, a breach of this system serves as an ideal beachhead for pivoting further into an organization's internal network.

Suggested Corrections:

Because there is currently no official patch, organizations using osTicket should immediately implement the following configuration changes in the Admin Panel:

  • Disable Self-Registration: Go to Admin Panel -> Users -> Settings and disable the ability for users to register themselves.
  • Require Login for Tickets: Change settings to require registration and login to submit or view tickets.
  • Disable HTML in Threads: Go to Admin Panel -> Settings -> System and disable HTML in thread entries and email correspondence to prevent the injection of the malicious filters.
  • Restrict Access: Place the osTicket instance behind a VPN or use IP-based whitelisting to limit who can access the web interface.

Source:
https://horizon3.ai/attack-research/vulnerabilities/cve-2026-22200/

Contact Us for Threat Assistance

Back to Current Threats