CVE-2026-8194— osTicket Dispatcher class.dispatcher.php cross-site request forgery
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-8194
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
osTicket Dispatcher class.dispatcher.php cross-site request forgery
Source: NVD (National Vulnerability Database)
Vulnerability Description
A security vulnerability has been detected in osTicket up to 1.18.3. Impacted is an unknown function of the file include/class.dispatcher.php of the component Dispatcher. The manipulation of the argument _method leads to cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨站请求伪造(CSRF)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| - | osTicket | 1.18.0 | cpe:2.3:a:osticket:osticket:*:*:*:*:*:*:*:* |
II. Public POCs for CVE-2026-8194
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-8194
请登录查看更多情报信息。
- CVE-2026-8194 | osTicket up to 1.18.3 Dispatcher class.dispatcher.php _method cross-site request forgery (ID 6945)vdb-entrytechnical-description
- https://nvd.nist.gov/vuln/detail/CVE-2026-8194
Same Patch Batch · n/a · 2026-05-09 · 10 CVEs total
| CVE-2026-6665 | 8.1 HIGH | PgBouncer buffer overflow in SCRAM |
| CVE-2026-6664 | 7.5 HIGH | PgBouncer integer overflow in PgBouncer network packet parsing |
| CVE-2026-8193 | 6.3 MEDIUM | Akaunting Invoice PDF Rendering dompdf.php server-side request forgery |
| CVE-2026-6666 | 5.9 MEDIUM | PgBouncer crash in kill_pool_logins_server_error |
| CVE-2026-8186 | 5.3 MEDIUM | Open5GS NF client.c ogs_sbi_client_send_via_scp_or_sepp out-of-bounds |
| CVE-2026-8187 | 5.3 MEDIUM | Open5GS UPF gtp-path.c _gtpv1_u_recv_cb resource consumption |
| CVE-2026-8195 | 4.3 MEDIUM | JeecgBoot SVG File CommonController.java cross site scripting |
| CVE-2026-6667 | 4.3 MEDIUM | PgBouncer missing authorization check in KILL_CLIENT admin command |
| CVE-2026-8196 | 3.7 LOW | JeecgBoot mLogin Endpoint LoginController.java authorization |
IV. Related Vulnerabilities
Same weakness: CWE-352
- CVE-2021-47953
OpenCart 3.0.3.7 Cross-Site Request Forgery via account/pass - CVE-2021-47946
OpenCart 3.0.3.6 Account Takeover via Cross Site Request For - CVE-2022-50955
WordPress Plugin Curtain 1.0.2 Cross-site Request Forgery - CVE-2026-42286
Emlog: Cross-Site Request Forgery in Admin Functions - CVE-2026-42190
RedwoodSDK: Same-site CSRF in in server actions
V. Comments for CVE-2026-8194
No comments yet