DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-22200: Paper Cuts to Pwnage: Turning osTicket PDF Exports into RCE

#security #cve #cybersecurity

Paper Cuts to Pwnage: Turning osTicket PDF Exports into RCE

Vulnerability ID: CVE-2026-22200
CVSS Score: 8.7
Published: 2026-01-12

A critical vulnerability in the osTicket support system allows unauthenticated attackers to leverage the PDF export feature to read arbitrary server files and, in many cases, achieve Remote Code Execution (RCE) via the 'CNEXT' technique.

TL;DR

osTicket, the ubiquitous open-source helpdesk software, has a nasty habit of trusting user input when generating PDF exports. By embedding malicious php://filter chains into ticket images, attackers can trick the underlying mPDF library into reading local files (LFI). Worse, using the modern 'CNEXT' exploit technique involving iconv buffer overflows, this file read can be upgraded to full Remote Code Execution on Linux servers. The patch? Effectively unplugging PHP's ears while it writes the PDF.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • CWE ID: CWE-74
  • Attack Vector: Network (AV:N)
  • CVSS Score: 8.7 (Critical)
  • EPSS Score: 0.0428 (High Percentile)
  • Exploit Status: Weaponized (CNEXT)
  • Impact: Arbitrary File Read / RCE

Affected Systems

  • osTicket 1.18.x prior to 1.18.3
  • osTicket 1.17.x prior to 1.17.7
  • Any LAMP stack application using unpatched mPDF with user-controlled HTML
  • osTicket: >= 1.18.0, < 1.18.3 (Fixed in: 1.18.3)
  • osTicket: >= 1.17.0, < 1.17.7 (Fixed in: 1.17.7)

Code Analysis

Commit: c59b067

Unregister php stream wrapper during PDF export & harden HTML sanitization

+ @stream_wrapper_unregister('php');
+ call_user_func_array(array('parent', 'WriteHtml'), $args);
+ @stream_wrapper_restore('php');
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Horizon3.ai: Full technical breakdown and RCE chain analysis
  • GitHub: Nuclei detection template

Mitigation Strategies

  • Disable PDF export functionality in Admin Panel -> Settings -> Tickets.
  • Implement WAF rules blocking 'php://filter' and 'convert.iconv' in HTTP bodies.
  • Restrict 'open.php' access to trusted IPs or authenticated users only.

Remediation Steps:

  1. Backup your osTicket database and installation directory.
  2. Download the latest release (v1.18.3+ or v1.17.7+).
  3. Replace the core files on your web server with the patched versions.
  4. Verify the patch by attempting to export a ticket containing a benign 'srcset' attribute (it should be stripped).

References

Read the full report for CVE-2026-22200 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)