CVE-2026-22675
5.4 MEDIUMOCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attacker...
Published: 2026-04-06 · Last updated: 2026-05-26
Severity and scoring
- CVSS
- 5.4 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- CWE
- CWE-79
Affected products
| Vendor | Product |
|---|---|
| ocsinventory-ng | ocs_inventory_server |
Description
OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft requests with malicious User-Agent values that are stored without sanitization and rendered with insufficient encoding in the web console, leading to arbitrary JavaScript execution in the browsers of authenticated users viewing the statistics dashboard.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-22675
- [Patch]https://github.com/OCSInventory-NG/OCSInventory-Server/commit/78faf2ca8b897141ba4d337d75692ab8e405bd4e
- [Other]https://github.com/OCSInventory-NG/OCSInventory-Server/pull/483
- [Other]https://www.vulncheck.com/advisories/ocs-inventory-ng-server-stored-xss-via-user-agent
Related CVEs
Same CWE
- CVE-2026-12425 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access ...
- CVE-2024-30476 — PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager (5.4 MEDIUM)
- CVE-2026-54198 — Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions (7.1 HIGH)
- CVE-2026-54191 — Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions (7.1 HIGH)
- CVE-2026-39437 — Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions (7.1 HIGH)