CVE-2026-22200 is a vulnerability in Enhancesoft osTicket, specifically affecting versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7. The issue arises in the ticket PDF export feature, which utilizes the mPDF library to generate PDF documents from ticket content. Attackers can submit tickets containing malicious rich-text HTML that includes PHP filter expressions. These expressions are not properly sanitized before being processed by mPDF, allowing the attacker to manipulate the PDF generation process to embed arbitrary files from the server filesystem as bitmap images within the exported PDF. This results in an arbitrary file read vulnerability, enabling disclosure of sensitive files accessible to the osTicket application user context. The vulnerability is exploitable remotely without authentication or user interaction, especially in default configurations where guest ticket creation or self-registration is enabled. The root cause is improper neutralization of special elements in output (CWE-74), leading to injection of malicious content into a downstream component (mPDF). No patches are linked yet, and no known exploits are reported in the wild, but the high CVSS score (8.7) reflects the significant confidentiality impact and ease of exploitation.

The primary impact of CVE-2026-22200 is unauthorized disclosure of sensitive local files on servers running vulnerable osTicket versions. Attackers can read arbitrary files accessible by the application, potentially exposing configuration files, credentials, internal documents, or other sensitive data. This compromises confidentiality and may facilitate further attacks such as privilege escalation or lateral movement. Since exploitation requires no authentication or user interaction, the attack surface is broad, especially on publicly accessible ticketing portals with guest ticket creation or self-registration enabled. Organizations relying on osTicket for customer support or internal ticketing may face data breaches, regulatory compliance violations, and reputational damage. The vulnerability does not directly affect integrity or availability but can be a stepping stone for more damaging attacks. The lack of known exploits in the wild suggests limited current active exploitation, but the ease of exploitation and high impact warrant urgent attention.

To mitigate CVE-2026-22200, organizations should upgrade osTicket to versions 1.18.3 or later, or 1.17.7 or later, once patches are available. Until patches are released, administrators should consider disabling the PDF export functionality or restricting it to trusted users only. Implement strict input validation and sanitization on ticket content, especially for rich-text HTML inputs, to prevent injection of PHP filter expressions. Restrict guest ticket creation and self-registration features to reduce exposure. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious payloads containing PHP filters or unusual HTML content. Regularly audit server filesystem permissions to minimize sensitive file exposure to the osTicket application user. Monitor logs for abnormal ticket submissions or PDF export requests. Finally, maintain a robust incident response plan to quickly address any detected exploitation attempts.