CVE-2026-47685
Discovered by AISLEPUBLISHEDCWE-79
Description
The unauthenticated inventory service endpoint fails to sanitize client-supplied values before persisting them. When administrators view the Host Management Inventory page, these unescaped static inventory fields render as raw HTML, enabling stored XSS attacks. An attacker knowing a host’s MAC address can inject persistent JavaScript that executes in any administrator’s browser session. The vulnerable code is in packages/web/service/inventory.php and the data is rendered in packages/web/lib/pages/hostmanagementpage.class.php.
CVSS Base Scores
CVSS v3.1(Primary)
7.3CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Affected Products
| Vendor | Product | Version | Status |
|---|---|---|---|
| FOGProject | FOG | < 1.5.10.1832 | — |
| FOGProject | FOG | < 1.6.0-beta.2313 | — |
| FOGProject | fogproject | < 1.5.10.1832 | — |
| FOGProject | fogproject | < 1.6.0-beta.2313 | — |
Credits
- pavelkohout396(reporter)
Solutions
Upgrade to fogproject >= 1.5.10.1832 (stable) or >= 1.6.0-beta.2313 (beta).