CVE-2026-47687

Discovered by AISLEPUBLISHEDCWE-79

Description

The selectForm() helper renders <option> labels using unescaped user input. An unauthenticated attacker with knowledge of a registered host’s MAC address can POST malicious sysproduct values to an unauthenticated inventory endpoint, which are stored in the database. When administrators access the Inventory Report, the payload executes arbitrary JavaScript in their browser.

CVSS Base Scores

CVSS v3.1(Primary)
7.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Affected Products

VendorProductVersionStatus
FOGProjectFOG< 1.5.10.1832
FOGProjectFOG< 1.6.0-beta.2313
FOGProjectfogproject< 1.5.10.1832
FOGProjectfogproject< 1.6.0-beta.2313

Credits

  • pavelkohout396(reporter)

Solutions

Upgrade to FOG >= 1.5.10.1832 (stable) or >= 1.6.0-beta.2313 (beta), where the selectForm() option labels are properly escaped.

References