CVE-2026-22200 in osTicket
Summary
by MITRE • 01/12/2026
Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/28/2026
The vulnerability identified as CVE-2026-22200 represents a critical arbitrary file read flaw within Enhancesoft osTicket versions prior to 1.18.3 and 1.17.7, specifically affecting the ticket PDF export functionality. This security weakness stems from inadequate input sanitization of rich-text HTML content submitted through tickets, creating a path for remote attackers to manipulate the mPDF PDF generation process. The flaw operates through a combination of insufficient validation and improper handling of PHP filter expressions within HTML content, allowing malicious actors to craft payloads that bypass normal security controls during PDF export operations.
The technical execution of this vulnerability relies on the mPDF library's processing of HTML content containing PHP filter expressions such as php://filter or other file inclusion mechanisms. When a user exports a ticket containing crafted HTML to PDF format, the mPDF generator processes these expressions without proper sanitization, enabling the PDF generation process to embed local filesystem contents as bitmap images within the exported document. This occurs because the application fails to properly validate or escape HTML content before passing it to the PDF rendering engine, creating a direct path for file system enumeration and content disclosure.
From an operational perspective, this vulnerability presents significant risk to organizations using osTicket with guest ticket creation or self-registration enabled, as it allows attackers to access sensitive files on the server without requiring authentication. The attack vector is particularly dangerous because it leverages legitimate application functionality, making detection more challenging. An attacker can exploit this vulnerability to read configuration files, database credentials, application source code, or other sensitive data that may be stored locally on the server, potentially leading to further compromise of the system. The impact extends beyond simple information disclosure, as the ability to read arbitrary files can reveal authentication tokens, encryption keys, or other critical system components that may enable additional attacks.
This vulnerability maps directly to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-77 (Improper Neutralization of Special Elements used in a Command) within the CWE taxonomy, reflecting both the path traversal aspects and the command injection potential inherent in the flawed processing of user-supplied HTML content. The attack pattern aligns with ATT&CK technique T1078 (Valid Accounts) and T1566 (Phishing) as attackers may leverage compromised accounts or create new ones to submit malicious content, while T1005 (Data from Local System) represents the primary objective of accessing local files. Organizations should immediately implement patches to versions 1.18.3 and 1.17.7 respectively, while also considering network-level restrictions on PDF generation functionality and enhanced input validation for all rich-text fields. Additionally, monitoring for unusual PDF export activities and implementing proper access controls to limit guest capabilities can significantly reduce the attack surface and mitigate potential exploitation of this vulnerability.