Platform
php
Component
ocs-inventory-ng
Fixed in
2.12.4
CVE-2026-22675 describes a stored cross-site scripting (XSS) vulnerability present in OCS Inventory NG Server versions prior to 2.12.4. This flaw enables unauthenticated attackers to inject and execute arbitrary JavaScript code by manipulating User-Agent HTTP headers sent to the /ocsinventory endpoint. Successful exploitation could lead to the compromise of authenticated users' sessions and the execution of malicious scripts within their browsers, particularly when viewing the statistics dashboard. Version 2.12.4 addresses this vulnerability.
CVE-2026-22675 in OCS Inventory NG Server, affecting versions prior to 2.12.4, presents a significant security risk. It allows unauthenticated attackers to execute arbitrary JavaScript code within the browsers of users accessing the web console. This is achieved by injecting malicious User-Agent HTTP headers to the /ocsinventory endpoint. The lack of proper sanitization of these headers, followed by insufficient encoding when rendering the information in the console, facilitates the execution of malicious code. An attacker could register rogue agents or manipulate requests to include User-Agents containing harmful JavaScript scripts, compromising the inventory infrastructure's security.
An attacker could exploit this vulnerability by sending HTTP requests with specially crafted 'User-Agent' headers containing malicious JavaScript code. This code would be stored on the server and then displayed in the OCS Inventory NG Server web console. When a legitimate user accesses the console, the JavaScript code executes in their browser, allowing the attacker to steal sensitive information, redirect the user to malicious websites, or perform other harmful actions. The lack of authentication required to send these headers makes the vulnerability particularly concerning, as anyone can attempt to exploit it.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The recommended solution to mitigate CVE-2026-22675 is to upgrade OCS Inventory NG Server to version 2.12.4 or higher. This version includes the necessary fixes to prevent the Cross-Site Scripting (XSS) vulnerability. In the interim, as a temporary measure, restrict access to the /ocsinventory endpoint to trusted sources only and monitor server logs for suspicious activity. Implementing HTTP security headers, such as Content Security Policy (CSP), can help reduce the potential impact of an XSS attack, although it is not a complete solution. Patch application remains the best practice for ensuring data integrity and confidentiality.
Update OCS Inventory NG Server to version 2.12.4 or higher to mitigate the XSS vulnerability. This version corrects the lack of sanitization of HTTP User-Agent headers, preventing the execution of malicious JavaScript code in the browsers of authenticated users.
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into legitimate websites. These scripts execute in the browsers of users visiting the site, potentially allowing attackers to steal information, redirect users, or perform other harmful actions.
If you are using a version of OCS Inventory NG Server prior to 2.12.4, you are vulnerable. Review server logs for unusual patterns in 'User-Agent' headers.
Restrict access to the /ocsinventory endpoint and consider implementing HTTP security headers like CSP.
An attacker could steal user credentials, network inventory information, and other sensitive data stored within the OCS Inventory NG Server system.
You can find more information about CVE-2026-22675 on vulnerability databases like the NIST National Vulnerability Database (NVD).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.