CVE-2026-47685

Discovered by AISLEPUBLISHEDCWE-79

Description

The unauthenticated inventory service endpoint fails to sanitize client-supplied values before persisting them. When administrators view the Host Management Inventory page, these unescaped static inventory fields render as raw HTML, enabling stored XSS attacks. An attacker knowing a host’s MAC address can inject persistent JavaScript that executes in any administrator’s browser session. The vulnerable code is in packages/web/service/inventory.php and the data is rendered in packages/web/lib/pages/hostmanagementpage.class.php.

CVSS Base Scores

CVSS v3.1(Primary)
7.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Affected Products

VendorProductVersionStatus
FOGProjectFOG< 1.5.10.1832
FOGProjectFOG< 1.6.0-beta.2313
FOGProjectfogproject< 1.5.10.1832
FOGProjectfogproject< 1.6.0-beta.2313

Credits

  • pavelkohout396(reporter)

Solutions

Upgrade to fogproject >= 1.5.10.1832 (stable) or >= 1.6.0-beta.2313 (beta).

References