CVE-2026-35009 is a reflected cross-site scripting vulnerability affecting Open ISES Tickets prior to version 3.44.2. The issue arises because the ticket_id GET parameter is directly inserted into a hidden input field's VALUE attribute in add_note.php without proper input neutralization. Authenticated attackers can exploit this by crafting a URL with a malicious JavaScript payload in the ticket_id parameter. When a victim accesses this URL, the injected script executes in their browser context, potentially leading to session hijacking or other client-side attacks. The vulnerability has a CVSS 4.0 score of 5.1 (medium severity). No patch or official remediation level has been documented, and the product is not a cloud service.

Successful exploitation allows an authenticated attacker to execute arbitrary JavaScript in the context of the victim's browser when they visit a maliciously crafted URL. This can lead to typical reflected XSS impacts such as session hijacking, unauthorized actions performed on behalf of the victim, or theft of sensitive information accessible to the browser. However, the attack requires the victim to be authenticated and to visit the malicious URL. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid clicking on untrusted links containing ticket_id parameters. Implementing web application firewall (WAF) rules to detect and block suspicious input patterns in ticket_id parameters may help mitigate risk. Developers should apply proper input sanitization and output encoding for the ticket_id parameter in add_note.php to prevent script injection.