CVE-2026-22675

Published: Apr 6, 2026

Modified: May 26, 2026

PUBLISHED

CVSS v3.1

5.4

MEDIUM

Description

OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft requests with malicious User-Agent values that are stored without sanitization and rendered with insufficient encoding in the web console, leading to arbitrary JavaScript execution in the browsers of authenticated users viewing the statistics dashboard.

Vendor	Product	Versions
OCS Inventory	OCS Inventory NG Server	affected `0 - <= 2.12.3` unaffected `78faf2ca8b897141ba4d337d75692ab8e405bd4e`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/OCSInventory-NG/OCSInventory-Server/pull/483

issue-tracking

https://github.com/OCSInventory-NG/OCSInventory-Server/commit/78faf2ca8b897141ba4d337d75692ab8e405bd4e

patch

https://www.vulncheck.com/advisories/ocs-inventory-ng-server-stored-xss-via-user-agent

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-22675

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References