Share
## https://sploitus.com/exploit?id=D56B5603-EDE0-5D7E-AFC4-FC3FD2B168FB
# CVE Disclosures

Coordinated vulnerability disclosures and CVE references published by
**Anindya Sankar Roy** (GitHub: [@fr3akhacks](https://github.com/fr3akhacks)).

Each entry below links to a public advisory containing the affected product,
affected/fixed version(s), CVE ID, prose description, vulnerability type, root
cause, and impact.

## osTicket (Enhancesoft LLC)

| CVE ID | Title | Type | CWE | CVSS 3.1 | Affected |
|--------|-------|------|-----|----------|----------|
| [CVE-2026-38444](osTicket/CVE-2026-38444.md) | Stored XSS via email From-header display name | Stored XSS | CWE-79 | 8.1 | osTicket <= 1.18.3 |
| [CVE-2026-38446](osTicket/CVE-2026-38446.md) | Stored XSS via thread entry title | Stored XSS | CWE-79 | 7.6 | osTicket <= 1.18.3 |
| [CVE-2026-38447](osTicket/CVE-2026-38447.md) | Weak API key generation (MD5 + predictable inputs) | Broken crypto | CWE-327, CWE-338 | 5.9 | osTicket <= 1.18.3 |