CVE-2026-9507

EUVD-2026-37079

16.06.2026, 13:16

A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier (OSTSESSID) active after a successful login.



The issue lies in the fact that the application does not invalidate the pre-authentication cookie or generate a new identifier for the authenticated context. As a result, if an attacker manages to set a known session identifier in the victim’s browser, they will be able to maintain unauthorised access to the account once the victim has authenticated.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
INCIBE	CNA	5.1 MEDIUM	NETWORK	LOW	NONE	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
enhancesoft	osticket	1.18.2	CNA

Common Weakness Enumeration

CWE-38 - Path Traversal: '\absolute\pathname\here'
A software system that accepts input in the form of a backslash absolute path ('\absolute\pathname\here') without appropriate validation can allow an attacker to traverse the file system to unintended locations or access arbitrary files.

References

https://www.incibe.es/en/incibe-cert/notices/aviso/session-fixation-vulnerability-enhancesofts-osticket