← back
CVE-2026-8194

osTicket Dispatcher class.dispatcher.php cross-site request forgery

CVSS 5.3 MEDIUMEPSS 0.2%CWE-352CWE-862
A security vulnerability has been detected in osTicket up to 1.18.3. Impacted is an unknown function of the file include/class.dispatcher.php of the component Dispatcher. The manipulation of the argument _method leads to cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Affected products
n/a · osTicket
public PoCs found1
cve_referencegithub.com/az10b/security-advisories/blob/main/csrf_bypass_osTicket.mdunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/az10b/security-advisories/blob/main/csrf_bypass_osTicket.mdhttps://github.com/osTicket/osTicket/https://github.com/osTicket/osTicket/pull/6945https://vuldb.com/submit/802755https://vuldb.com/vuln/362346https://vuldb.com/vuln/362346/cti