CVE-2026-14871

EUVD-2026-45186
osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization (BOLA) leading to Insecure Direct Object Reference (IDOR) in the AJAX ticket-management subsystem.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
Fluid AttacksCNA
7.1 HIGH
NETWORK
LOW
LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N