CVE-2026-22675
Modified Modified - Updated After Analysis
Stored XSS in OCS Inventory NG Server Allows Arbitrary Script Execution

Publication date: 2026-04-06

Last updated on: 2026-05-26

Assigner: VulnCheck

Description
OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft requests with malicious User-Agent values that are stored without sanitization and rendered with insufficient encoding in the web console, leading to arbitrary JavaScript execution in the browsers of authenticated users viewing the statistics dashboard.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22675
EUVD
EUVD-2026-19484
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ocsinventory-ng ocs_inventory_server to 2.12.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OCS Inventory NG Server version 2.12.3 and earlier. It is a stored cross-site scripting (XSS) flaw that allows unauthenticated attackers to execute arbitrary JavaScript code. Attackers exploit this by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. These malicious headers are stored without proper sanitation and later rendered with insufficient encoding in the web console, specifically in the statistics dashboard viewed by authenticated users.

Impact Analysis

The impact of this vulnerability is that attackers can execute arbitrary JavaScript in the browsers of authenticated users who view the statistics dashboard. This can lead to unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the user within the web application. Since the attack requires the attacker to submit malicious User-Agent headers that get stored and rendered, it can be used to compromise the integrity and confidentiality of user sessions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22675. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart