CVE-2026-22200
📋 TL;DR
This vulnerability allows remote attackers to read arbitrary files from the osTicket server filesystem by crafting malicious HTML in ticket content and exporting it to PDF. Attackers can disclose sensitive local files including configuration files, credentials, and source code. Affected systems include osTicket installations with guest ticket creation or self-registration enabled.
💻 Affected Systems
- Enhancesoft osTicket
📦 What is this software?
Osticket by Enhancesoft
Osticket by Enhancesoft
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through disclosure of sensitive files like configuration files containing database credentials, SSH keys, or other secrets leading to privilege escalation and lateral movement.
Likely Case
Disclosure of sensitive configuration files, source code, and potentially credentials stored in accessible files, enabling further attacks or data theft.
If Mitigated
Limited impact with proper access controls, file permissions, and network segmentation preventing access to critical system files.
🎯 Exploit Status
Exploitation requires creating a ticket with crafted HTML and exporting to PDF. Public exploit details and proof-of-concept are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.18.3 or 1.17.7
Vendor Advisory: https://github.com/osTicket/osTicket/releases/tag/v1.17.7
Restart Required: No
Instructions:
1. Backup your osTicket installation and database. 2. Download the patched version (1.18.3 or 1.17.7) from the official repository. 3. Replace the existing installation files with the patched version. 4. Clear any cached files or temporary data. 5. Verify the installation is working correctly.
🔧 Temporary Workarounds
Disable guest ticket creation
allPrevent unauthenticated users from creating tickets by disabling guest access in osTicket settings.
Disable self-registration
allTurn off user self-registration to reduce attack surface.
Restrict PDF export permissions
allLimit PDF export functionality to authenticated users with specific roles only.
🧯 If You Can't Patch
- Implement strict network access controls to limit osTicket access to trusted users only.
- Deploy web application firewall (WAF) rules to block malicious HTML content containing PHP filter expressions.
🔍 How to Verify
Check if Vulnerable:
Check your osTicket version via the admin panel or by examining the include/ost-config.php file for version information.Check Version:
grep -i 'define.*VERSION' include/ost-config.php 2>/dev/null || echo 'Check admin panel'Verify Fix Applied:
Verify the version number shows 1.18.3 or higher for 1.18.x branches, or 1.17.7 or higher for 1.17.x branches.📡 Detection & Monitoring
Log Indicators:
- Unusual PDF export activity from guest or newly created accounts
- Multiple failed export attempts with crafted content
- Large PDF generation events
Network Indicators:
- HTTP requests containing PHP filter expressions in ticket content
- Unusual patterns in PDF export endpoints
SIEM Query:
source="osticket.log" AND ("export" OR "pdf") AND ("guest" OR "php:" OR "filter")🔗 References
- https://github.com/osTicket/osTicket/commit/c59b067
- https://github.com/osTicket/osTicket/releases/tag/v1.17.7
- https://github.com/osTicket/osTicket/releases/tag/v1.18.3
- https://horizon3.ai/attack-research/attack-blogs/ticket-to-shell-exploiting-php-filters-and-cnext-in-osticket-cve-2026-22200/
- https://www.vulncheck.com/advisories/osticket-pdf-export-arbitrary-file-read
