Description
OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft requests with malicious User-Agent values that are stored without sanitization and rendered with insufficient encoding in the web console, leading to arbitrary JavaScript execution in the browsers of authenticated users viewing the statistics dashboard.
Published: 2026-04-06
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OCS Inventory NG Server version 2.12.3 and earlier contain a stored cross‑site scripting flaw that enables unauthenticated attackers to deliver malicious JavaScript by inserting a malicious User‑Agent header in HTTP requests to the /ocsinventory endpoint. The header is saved without sanitization and later displayed in the web console within the statistics dashboard. When an authenticated user views this dashboard, the unsanitized content is executed in their browser, allowing cookie theft, session hijacking, or other client‑side attacks. The weakness is a stored cross‑site scripting (CWE‑79).

Affected Systems

The vulnerability affects the OCS Inventory NG Server product from OCS Inventory. Any installations running version 2.12.3 or earlier are susceptible; newer releases have the fix applied.

Risk and Exploitability

The CVSS base score of 5.1 indicates medium severity. The EPSS score is below 1 %, suggesting low probability of exploitation, and the flaw is not listed in CISA’s KEV catalog. Attackers can introduce malicious User‑Agent headers unauthenticated, but require an authenticated user to view the dashboard to see the effect. The risk is moderate, but the potential for credential compromise makes it important to remediate promptly.

Generated by OpenCVE AI on May 26, 2026 at 14:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OCS Inventory NG Server to the latest available version that includes the User‑Agent sanitization fix (for example, 2.12.4 or later).
  • Verify that the web console no longer renders User‑Agent values and that input validation or output encoding is in place.
  • Review the database for any stored malicious User‑Agent strings and delete them if present.
  • Implement logging or monitoring to detect unexpected User‑Agent headers.
  • Consider applying an access control or web‑app firewall rule to block or sanitize User‑Agent headers until a patch is applied.

Generated by OpenCVE AI on May 26, 2026 at 14:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft requests with malicious User-Agent values that are stored without sanitation and rendered with insufficient encoding in the web console, leading to arbitrary JavaScript execution in the browsers of authenticated users viewing the statistics dashboard. OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft requests with malicious User-Agent values that are stored without sanitization and rendered with insufficient encoding in the web console, leading to arbitrary JavaScript execution in the browsers of authenticated users viewing the statistics dashboard.

Thu, 09 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ocsinventory-ng:ocs_inventory_server:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Ocsinventory-ng
Ocsinventory-ng ocs Inventory Server
Vendors & Products Ocsinventory-ng
Ocsinventory-ng ocs Inventory Server

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft requests with malicious User-Agent values that are stored without sanitation and rendered with insufficient encoding in the web console, leading to arbitrary JavaScript execution in the browsers of authenticated users viewing the statistics dashboard.
Title OCS Inventory NG Server Stored XSS via User-Agent
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Ocsinventory-ng Ocs Inventory Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T11:52:01.295Z

Reserved: 2026-01-08T19:04:26.365Z

Link: CVE-2026-22675

cve-icon Vulnrichment

Updated: 2026-04-07T13:39:26.682Z

cve-icon NVD

Status : Modified

Published: 2026-04-06T22:16:20.673

Modified: 2026-05-26T14:16:29.540

Link: CVE-2026-22675

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T15:00:10Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')