CVE-2026-22200 is an arbitrary file read vulnerability classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) affecting Enhancesoft osTicket versions 1.17.x prior to 1.17.7 and 1.18.x prior to 1.18.3. The vulnerability stems from insufficient sanitization of rich-text HTML input submitted by users when creating tickets. Attackers can embed PHP filter expressions within the HTML content, which are not properly neutralized before being processed by the mPDF PDF generator during the export of tickets to PDF format. When the export function is invoked, the mPDF library interprets these PHP filters and can embed arbitrary server-side files as bitmap images within the generated PDF document. This results in unauthorized disclosure of sensitive files from the server's filesystem, such as configuration files, credentials, or other confidential data accessible to the osTicket application user context. The flaw is exploitable remotely without authentication or user interaction, particularly in default osTicket configurations where guests can create tickets or self-registration is enabled. The vulnerability has a CVSS 4.0 base score of 8.7, indicating high severity due to network attack vector, no required privileges or user interaction, and a high confidentiality impact. No known exploits are currently reported in the wild, but the ease of exploitation and potential data exposure make this a critical risk. The vulnerability affects organizations relying on osTicket for customer support or internal ticketing, potentially exposing sensitive operational or personal data. The lack of patches at the time of reporting necessitates immediate attention to upgrade to fixed versions 1.17.7 or 1.18.3 once available or implement compensating controls to restrict guest ticket creation and self-registration features.

For European organizations, this vulnerability poses a significant risk of sensitive data leakage from internal or customer support systems running vulnerable osTicket versions. The arbitrary file read can expose configuration files, credentials, or other sensitive documents stored on the server, potentially leading to further compromise or data breaches. Organizations in sectors with strict data protection regulations such as finance, healthcare, and government are particularly vulnerable due to the potential exposure of personal or confidential information, risking non-compliance with GDPR and other privacy laws. The ease of exploitation without authentication or user interaction increases the likelihood of automated attacks targeting exposed osTicket instances. This can undermine trust in customer support services and disrupt operations if sensitive information is leaked or used for subsequent attacks. The impact extends to reputational damage, regulatory penalties, and operational disruptions. Given osTicket's widespread use in European SMEs and public sector entities for helpdesk functions, the vulnerability could affect a broad range of organizations if not promptly addressed.

1. Upgrade osTicket installations immediately to versions 1.17.7 or 1.18.3 where the vulnerability is patched. 2. If immediate upgrade is not feasible, disable or restrict guest ticket creation and self-registration features to limit attack surface. 3. Implement strict input validation and sanitization on ticket submission forms, especially for rich-text HTML content, to block PHP filter expressions or other special elements. 4. Configure web application firewalls (WAFs) to detect and block suspicious payloads containing PHP filters or unusual HTML tags in ticket submissions. 5. Monitor logs for unusual ticket creation patterns or PDF export requests that may indicate exploitation attempts. 6. Restrict file system permissions for the osTicket application user to minimize access to sensitive files that could be disclosed. 7. Conduct regular security assessments and penetration tests focusing on ticketing systems and PDF export functionalities. 8. Educate support staff to recognize and report suspicious tickets or export activities. 9. Maintain an incident response plan to quickly address any detected exploitation or data leakage. 10. Follow vendor advisories for any additional patches or mitigation guidance.