CVE-2026-22200

Horizon3.ai discovered a severe vulnerability affecting Enhancesoft osTicket, a popular open source help desk and ticketing system. This vulnerability, tracked as CVE-2026-22200, allows anonymous attackers to read arbitrary files from the osTicket server, including sensitive configuration.

When combined with another vulnerability CVE-2024-2961 affecting Linux hosts, this vulnerability can be exploited to upload web shells and execute arbitrary commands on the osTicket server. As a result, every deployment is vulnerable, but depending on the configuration, Internet-facing instances may or may not be at risk of exploitation by an anonymous attacker.

CVE-2026-22200 gives any user who can open and view tickets the ability to read arbitrary files from the osTicket server. The exploit involves creating crafted tickets containing PHP filter expressions in rich text ticket fields, which are incorrectly sanitized by the osTicket application. When an attacker exports the ticket to a PDF, files from the server can also be exfiltrated, embedded as bitmap images within the PDF.

Ticketing systems typically contain sensitive information and may act as a beachhead to pivot into internal networks, making them an appealing target for attackers. All versions of osTicket should be considered affected, with the current latest version being 1.18.2. No vendor patch is currently available.

Until a patch is released, organizations should reduce exposure by limiting access and disabling high-risk functionality. Recommended actions include implementing network or host-based firewall rules to restrict access and updating the osTicket configuration to disable user self-registration and require registration and login to submit tickets.