Cross-Site Scripting in Fleet Device Management Software
CVE-2026-22808

5.5MEDIUM

Key Information:

Vendor: Fleetdm
Status: Fleet
Vendor: CVE Published:; 21 January 2026

What is CVE-2026-22808?

Fleet device management software, prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, is susceptible to a Cross-Site Scripting (XSS) vulnerability when Windows MDM is enabled. An unauthenticated attacker could exploit this flaw to extract an administrator's authentication token from localStorage. This vulnerability poses a significant risk, enabling unauthorized users to gain access to Fleet, potentially allowing them to manage devices, view sensitive data, and alter configurations. To mitigate the risk, users are advised to either upgrade to the patched versions or disable Windows MDM until an upgrade can be conducted.

Affected Version(s)

fleet >= 4.78.0, < 4.78.2 < 4.78.0, 4.78.2

fleet >= 4.77.0, < 4.77.1 < 4.77.0, 4.77.1

fleet >= 4.76.0, < 4.76.2 < 4.76.0, 4.76.2

References

https://github.com/fleetdm/fleet/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 21, 2026
Vulnerability Reserved
Jan 9, 2026

CVE-2026-22808 Data

JSON

Fleetdm

What is CVE-2026-22808?

Affected Version(s)

References

CVSS V4

Timeline