Fabre

#1134342 ocsinventory-server: CVE-2026-22675 #1134342

Package:: src:ocsinventory-server

Source:: src:ocsinventory-server

Submitter:: Salvatore Bonaccorso

Date:: 2026-05-13 02:47:14 UTC

Severity:: normal

Tags:

#1134342#5

Date:: 2026-04-18 19:38:20 UTC

From:

To:

Hi,

The following vulnerability was published for ocsinventory-server.

CVE-2026-22675[0]:
| OCS Inventory NG Server version 2.12.3 and prior contain a stored
| cross-site scripting vulnerability that allows unauthenticated
| attackers to execute arbitrary JavaScript by submitting malicious
| User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can
| register rogue agents or craft requests with malicious User-Agent
| values that are stored without sanitation and rendered with
| insufficient encoding in the web console, leading to arbitrary
| JavaScript execution in the browsers of authenticated users viewing
| the statistics dashboard.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-22675
https://www.cve.org/CVERecord?id=CVE-2026-22675
[1] https://github.com/OCSInventory-NG/OCSInventory-Server/pull/483
[2] https://github.com/OCSInventory-NG/OCSInventory-Server/commit/f81e28a503ded042f037a7837e78f76528754ee7

Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore

#1134342 ocsinventory-server: CVE-2026-22675 #1134342

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)