CVE-2026-22675
Stored XSS in OCS Inventory NG Server Allows Arbitrary Script Execution
Publication date: 2026-04-06
Last updated on: 2026-04-09
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ocsinventory-ng | ocs_inventory_server | to 2.12.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The impact of this vulnerability is that attackers can execute arbitrary JavaScript in the browsers of authenticated users who view the statistics dashboard. This can lead to unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the user within the web application. Since the attack requires the attacker to submit malicious User-Agent headers that get stored and rendered, it can be used to compromise the integrity and confidentiality of user sessions.
Can you explain this vulnerability to me?
This vulnerability exists in OCS Inventory NG Server version 2.12.3 and earlier. It is a stored cross-site scripting (XSS) flaw that allows unauthenticated attackers to execute arbitrary JavaScript code. Attackers exploit this by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. These malicious headers are stored without proper sanitation and later rendered with insufficient encoding in the web console, specifically in the statistics dashboard viewed by authenticated users.