CVE-2026-22675

EUVD-2026-19484

06.04.2026, 22:16

OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft requests with malicious User-Agent values that are stored without sanitation and rendered with insufficient encoding in the web console, leading to arbitrary JavaScript execution in the browsers of authenticated users viewing the statistics dashboard.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 19%

Affected Products (NVD)

Vendor	Product	Version
ocsinventory-ng	ocs_inventory_server	𝑥 ≤ 2.12.3

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

ocsinventory-server

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
resolute	dne
xenial	ignored

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/OCSInventory-NG/OCSInventory-Server/commit/78faf2ca8b897141ba4d337d75692ab8e405bd4e

https://github.com/OCSInventory-NG/OCSInventory-Server/pull/483

https://www.vulncheck.com/advisories/ocs-inventory-ng-server-stored-xss-via-user-agent