CVE-2026-22200 is a vulnerability classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) affecting Enhancesoft osTicket versions up to and including 1.18.2. The flaw exists in the ticket PDF export functionality, where the application processes rich-text HTML submitted by users to generate PDF documents via the mPDF library. Attackers can craft ticket content embedding PHP filter expressions that are not properly sanitized before being passed to mPDF. This allows the PDF generator to read arbitrary files from the server filesystem and embed their contents as bitmap images within the exported PDF. Since the vulnerability can be triggered remotely without authentication—particularly in default configurations where guests can create tickets or self-registration is enabled—an attacker can exploit it to disclose sensitive files such as configuration files, credentials, or other critical data accessible to the web server user. The vulnerability has a CVSS 4.0 base score of 8.7, reflecting its high impact on confidentiality with no required privileges or user interaction. Although no known exploits have been reported in the wild, the ease of exploitation and potential data exposure make this a significant threat. The lack of available patches at the time of reporting necessitates immediate mitigation efforts by affected organizations. This vulnerability highlights the risks of insufficient input sanitization in web applications that rely on third-party libraries for document generation.

For European organizations, the arbitrary file read vulnerability in osTicket could lead to unauthorized disclosure of sensitive internal files, including configuration files, credentials, or personal data stored on the server. This compromises confidentiality and may facilitate further attacks such as privilege escalation or lateral movement within the network. Organizations using osTicket for customer support or internal ticketing risk exposure of sensitive customer information or internal operational data. The vulnerability’s remote, unauthenticated exploitability increases the attack surface, especially for public-facing ticketing portals. Data breaches resulting from this vulnerability could lead to regulatory penalties under GDPR due to unauthorized access to personal data. Additionally, reputational damage and operational disruption may occur if attackers leverage disclosed information to compromise other systems. The lack of known exploits currently provides a window for proactive defense, but the high CVSS score indicates a critical need for rapid response to prevent exploitation.

1. Immediately restrict or disable guest ticket creation and self-registration features in osTicket to reduce the attack surface until a patch is available. 2. Implement strict input validation and sanitization on all user-submitted rich-text HTML content, specifically filtering or removing PHP filter expressions before processing. 3. Limit file system permissions of the web server user to the minimum necessary, preventing access to sensitive files that could be read via this vulnerability. 4. Monitor and audit ticket export activities for unusual or suspicious PDF generation requests that may indicate exploitation attempts. 5. If possible, disable or replace the mPDF library with a more secure PDF generation tool that properly handles input sanitization. 6. Apply web application firewall (WAF) rules to detect and block malicious payloads containing PHP filter expressions targeting the ticket export functionality. 7. Stay updated with Enhancesoft’s security advisories and apply official patches or updates as soon as they become available. 8. Conduct internal security reviews and penetration testing focused on ticketing systems to identify and remediate similar injection or file disclosure issues.