CVE-2026-22675

NameCVE-2026-22675
DescriptionOCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft requests with malicious User-Agent values that are stored without sanitation and rendered with insufficient encoding in the web console, leading to arbitrary JavaScript execution in the browsers of authenticated users viewing the statistics dashboard.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1134342

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ocsinventory-server (PTS)bullseye2.8.1+dfsg1-1+deb11u1vulnerable
bookworm2.8.1+dfsg1+~2.11.1-1vulnerable
sid2.8.1+dfsg1+~2.11.1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ocsinventory-serversource(unstable)(unfixed)1134342

Notes

[bookworm] - ocsinventory-server <no-dsa> (Minor issue)
[bullseye] - ocsinventory-server <ignored> (security support limited to trusted network)
https://github.com/OCSInventory-NG/OCSInventory-Server/pull/483
Fixed by: https://github.com/OCSInventory-NG/OCSInventory-Server/commit/f81e28a503ded042f037a7837e78f76528754ee7
Search for package or bug name: Reporting problems