CVE-2026-22200: osTicket PDF File Read + CNEXT RCE

Proof of concept exploit for osTicket CVE-2026-22200 which abuses PHP filters to exfiltrate files through the mPDF library and can be chained to RCE via CVE-2024-2961 (CNEXT).

Blog Post

Deep-dive here: Horizon3.ai - Ticket to Shell: Exploiting PHP Filters and CNEXT in osTicket (CVE-2026-22200)

Follow the Horizon3.ai Attack Team on Twitter for the latest security research:

Disclaimer

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

Name		Name	Last commit message	Last commit date
Latest commit History 1 Commit
README.md		README.md
check.py		check.py
cnext_exploit_payload_gen.py		cnext_exploit_payload_gen.py
extract_pdf_images.py		extract_pdf_images.py
osticket_access_bruteforce.py		osticket_access_bruteforce.py
osticket_forge_access_link.py		osticket_forge_access_link.py
osticket_registered_user_enum.py		osticket_registered_user_enum.py
osticket_ticket_payload_gen.py		osticket_ticket_payload_gen.py
requirements.txt		requirements.txt
try_download_libc.py		try_download_libc.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

CVE-2026-22200: osTicket PDF File Read + CNEXT RCE

Blog Post

Follow the Horizon3.ai Attack Team on Twitter for the latest security research:

Disclaimer

About

Uh oh!

Releases

Packages

Languages

horizon3ai/CVE-2026-22200

Folders and files

Latest commit

History

Repository files navigation

CVE-2026-22200: osTicket PDF File Read + CNEXT RCE

Blog Post

Follow the Horizon3.ai Attack Team on Twitter for the latest security research:

Disclaimer

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages