Description
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages (Host, Storage, Group, Image, Printer, Snapin) are vulnerable to Stored Cross-Site Scripting (XSS), due to insufficient server-side parameter sanitization in record creations/updates and a lack of HTML escaping in listing tables. Version 1.5.10.1812 patches the issue.
Published: 2026-03-27
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via FOG management pages
Action: Patch Now
AI Analysis

Impact

The flaw is a stored cross‑site scripting vulnerability that arises from server‑side input not being sanitized and from the lack of HTML escaping when rendering records on multiple management pages. Data entered by an attacker is persisted in the database and subsequently executed in the browser of any logged‑in user who views the affected page, allowing the attacker to run arbitrary JavaScript. This can result in session hijacking, credential theft, or defacement of the FOG interface.

Affected Systems

FOGProject’s fogproject software is affected on all releases before 1.5.10.1812. The vulnerability appears on the Host, Storage, Group, Image, Printer and Snapin management pages, where new or edited records are displayed.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity, while the EPSS score of less than 1 % suggests a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access capable of creating or updating records, implying the attack vector is internal or privileged. Once injected, the malicious payload is stored and delivered to any user who visits the affected pages, providing a persistent exploitation vector for those with read‑access.

Generated by OpenCVE AI on April 8, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to FOGProject fogproject version 1.5.10.1812 or later. If an immediate update is not possible, restrict administrative access to the affected pages and use a web application firewall or input‑validation controls to block script payloads.

Generated by OpenCVE AI on April 8, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fogproject:fogproject:*:*:*:*:*:*:*:*

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Fogproject
Fogproject fogproject
Vendors & Products Fogproject
Fogproject fogproject

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages (Host, Storage, Group, Image, Printer, Snapin) are vulnerable to Stored Cross-Site Scripting (XSS), due to insufficient server-side parameter sanitization in record creations/updates and a lack of HTML escaping in listing tables. Version 1.5.10.1812 patches the issue.
Title FOG has Stored XSS in Multiple Management Pages
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L'}

Subscriptions

Fogproject Fogproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T20:29:44.713Z

Reserved: 2026-03-23T17:34:57.561Z

Link: CVE-2026-33739

cve-icon Vulnrichment

Updated: 2026-03-27T20:29:41.292Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T20:16:33.423

Modified: 2026-04-08T15:08:44.030

Link: CVE-2026-33739

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:05Z

Weaknesses