CVE-2026-48243: Use of Hard-coded Credentials in Open ISES Tickets
Open ISES Tickets versions before 3. 44. 2 contain a hardcoded WhitePages reverse-phone API key embedded in the wp1. php file, which is publicly accessible in the source repository. This allows anyone with read access to the source code to extract the key and make API calls that are billed to or rate-limited against the original owner's WhitePages account. The vulnerability has a CVSS 4. 0 base score of 6. 9, indicating a medium severity level. No official patch or remediation guidance is currently available from the vendor. The vulnerability does not involve privilege or user interaction requirements and has low impact on confidentiality.
AI Analysis
Technical Summary
CVE-2026-48243 is a vulnerability in Open ISES Tickets prior to version 3.44.2 where a hardcoded WhitePages reverse-phone API key is embedded in the wp1.php file within the publicly accessible source repository. This exposure allows any actor with read access to the source code to extract the API key and perform third-party API calls that are billed to or rate-limited against the original owner's WhitePages account. The vulnerability has a CVSS 4.0 score of 6.9 (medium severity) with network attack vector, low confidentiality impact, and no required privileges or user interaction. There is no vendor advisory or patch currently available, and the product is not a cloud service.
Potential Impact
The primary impact is unauthorized use of the embedded WhitePages API key, which could lead to unexpected charges or exhaustion of API call quotas for the legitimate account holder. There is no direct impact on system confidentiality, integrity, or availability. No known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should avoid using affected versions or remove and replace the hardcoded API key in the source code. Restricting access to the source repository to trusted personnel can reduce exposure. Monitor usage of the WhitePages API account for unusual activity.
CVE-2026-48243: Use of Hard-coded Credentials in Open ISES Tickets
Description
Open ISES Tickets versions before 3. 44. 2 contain a hardcoded WhitePages reverse-phone API key embedded in the wp1. php file, which is publicly accessible in the source repository. This allows anyone with read access to the source code to extract the key and make API calls that are billed to or rate-limited against the original owner's WhitePages account. The vulnerability has a CVSS 4. 0 base score of 6. 9, indicating a medium severity level. No official patch or remediation guidance is currently available from the vendor. The vulnerability does not involve privilege or user interaction requirements and has low impact on confidentiality.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-48243 is a vulnerability in Open ISES Tickets prior to version 3.44.2 where a hardcoded WhitePages reverse-phone API key is embedded in the wp1.php file within the publicly accessible source repository. This exposure allows any actor with read access to the source code to extract the API key and perform third-party API calls that are billed to or rate-limited against the original owner's WhitePages account. The vulnerability has a CVSS 4.0 score of 6.9 (medium severity) with network attack vector, low confidentiality impact, and no required privileges or user interaction. There is no vendor advisory or patch currently available, and the product is not a cloud service.
Potential Impact
The primary impact is unauthorized use of the embedded WhitePages API key, which could lead to unexpected charges or exhaustion of API call quotas for the legitimate account holder. There is no direct impact on system confidentiality, integrity, or availability. No known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should avoid using affected versions or remove and replace the hardcoded API key in the source code. Restricting access to the source repository to trusted personnel can reduce exposure. Monitor usage of the WhitePages API account for unusual activity.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-05-21T13:15:18.101Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0f4498e1370fbb483a5899
Added to database: 5/21/2026, 5:44:56 PM
Last enriched: 5/21/2026, 6:00:43 PM
Last updated: 5/21/2026, 6:55:32 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.