cvedb.io
CVE-2026-22675
MEDIUM · CVSS 5.4
EPSS exploitation probability: 0%
Published 2026-04-06T22:16:20.673 · Last modified 2026-06-17T10:20:12.877

Summary

OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft requests with malicious User-Agent values that are stored without sanitization and rendered with insufficient encoding in the web console, leading to arbitrary JavaScript execution in the browsers of authenticated users viewing the statistics dashboard.

Affected products

ocsinventory-ng — ocs_inventory_server

Does this affect you?

Add your gear to cvedb and we'll alert you only when ocsinventory-ng ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.