module
osTicket Arbitrary File Read via PHP Filter Chains in mPDF
| Disclosed | Created |
|---|---|
| Jan 13, 2026 | Apr 7, 2026 |
Disclosed
Jan 13, 2026
Created
Apr 7, 2026
Description
This module exploits an arbitrary file read vulnerability in osTicket
(CVE-2026-22200). The vulnerability exists in osTicket's PDF export
functionality which uses mPDF. By injecting a specially crafted HTML payload
containing PHP filter chain URIs into a ticket reply, an attacker can read
arbitrary files from the server when the ticket is exported to PDF.
The PHP filter chain constructs a BMP image header that is prepended to the
target file contents. When mPDF renders the ticket as a PDF, it processes
the php://filter URI, reads the target file, and embeds it as a bitmap image
in the resulting PDF. The module then extracts the file contents from the PDF.
Authentication is required. The module supports both staff panel (/scp/) and
client portal login. An existing ticket number is also required.
Default files extracted are /etc/passwd and include/ost-config.php. The
osTicket config file contains database credentials and the SECRET_SALT value.
(CVE-2026-22200). The vulnerability exists in osTicket's PDF export
functionality which uses mPDF. By injecting a specially crafted HTML payload
containing PHP filter chain URIs into a ticket reply, an attacker can read
arbitrary files from the server when the ticket is exported to PDF.
The PHP filter chain constructs a BMP image header that is prepended to the
target file contents. When mPDF renders the ticket as a PDF, it processes
the php://filter URI, reads the target file, and embeds it as a bitmap image
in the resulting PDF. The module then extracts the file contents from the PDF.
Authentication is required. The module supports both staff panel (/scp/) and
client portal login. An existing ticket number is also required.
Default files extracted are /etc/passwd and include/ost-config.php. The
osTicket config file contains database credentials and the SECRET_SALT value.
Authors
HORIZON3.ai Team
Arkaprabha Chakraborty @t1nt1nsn0wy
Arkaprabha Chakraborty @t1nt1nsn0wy
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.