Stored Cross-Site Scripting in OCS Inventory NG Server by OCS Inventory
CVE-2026-22675

5.1MEDIUM

Key Information:

Vendor

Ocs Inventory

Status
Ocs Inventory Ng Server
Vendor
CVE Published:
6 April 2026

What is CVE-2026-22675?

The OCS Inventory NG Server, specifically version 2.12.3 and earlier, is susceptible to a stored cross-site scripting vulnerability. This issue allows unauthenticated attackers to exploit the /ocsinventory endpoint by injecting malicious User-Agent HTTP headers. When these headers are processed, they can lead to the execution of arbitrary JavaScript within the browsers of authenticated users viewing the affected web console, significantly compromising user security. The lack of proper input sanitization and encoding enables attackers to craft rogue requests that are stored and subsequently rendered in the statistics dashboard.

Affected Version(s)

OCS Inventory NG Server 0 <= 2.12.3

OCS Inventory NG Server 78faf2ca8b897141ba4d337d75692ab8e405bd4e

References

https://github.com/OCSInventory-NG/OCSInventory-Server/pu...
issue-tracking
https://github.com/OCSInventory-NG/OCSInventory-Server/co...
patch
https://www.vulncheck.com/advisories/ocs-inventory-ng-ser...
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alexandre Nesic (@_atsika) at Quarkslab
.