PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-22675 OCS Inventory CVE debrief

A stored cross-site scripting (XSS) vulnerability in OCS Inventory NG Server allows unauthenticated attackers to inject malicious JavaScript via crafted User-Agent HTTP headers submitted to the /ocsinventory endpoint. The vulnerability affects versions 2.12.3 and prior. The malicious payload is stored without adequate sanitization and rendered with insufficient encoding in the web console's statistics dashboard, executing arbitrary JavaScript in the browsers of authenticated administrative users who view the affected data. The attack vector requires network access to the inventory endpoint but no authentication, with user interaction required from victim administrators. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no attack privileges required, and user interaction present, with low impacts to confidentiality and integrity of the system. A patch has been committed to address the sanitization deficiency.

Vendor
OCS Inventory
Product
OCS Inventory NG Server
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-06
Original CVE updated
2026-05-26
Advisory published
2026-04-06
Advisory updated
2026-05-26

Who should care

Organizations operating OCS Inventory NG Server versions 2.12.3 or earlier for IT asset management and inventory tracking. Security teams responsible for protecting administrative interfaces of inventory management systems. System administrators managing OCS Inventory deployments with external agent registration enabled.

Technical summary

The vulnerability exists in the OCS Inventory NG Server's handling of agent registration requests to the /ocsinventory endpoint. The server stores User-Agent HTTP header values without sufficient input sanitization, then renders these values in the administrative web console's statistics dashboard with inadequate output encoding. This enables unauthenticated attackers to submit requests containing malicious JavaScript payloads in the User-Agent header, which persist in the database and execute when authenticated administrators view the affected dashboard. The attack chain requires: (1) network access to submit requests to the inventory endpoint, (2) crafted User-Agent header containing XSS payload, (3) storage of unsanitized data, and (4) victim administrator viewing the statistics dashboard. The CVSS 4.0 score of 5.1 reflects network accessibility, low complexity, and low impacts to system confidentiality and integrity with required user interaction.

Defensive priority

medium

Recommended defensive actions

  • Upgrade OCS Inventory NG Server to a version incorporating commit 78faf2ca8b897141ba4d337d75692ab8e405bd4e or later
  • Implement input validation and sanitization for all HTTP headers processed by the /ocsinventory endpoint, particularly User-Agent values
  • Apply context-appropriate output encoding when rendering stored User-Agent data in the web console statistics dashboard
  • Review and sanitize existing stored User-Agent entries in the database for malicious payloads
  • Consider implementing Content Security Policy (CSP) headers to mitigate impact of any residual XSS vectors
  • Monitor access logs for anomalous User-Agent strings containing script tags or encoded JavaScript patterns
  • Restrict network access to the /ocsinventory endpoint to authorized agent hosts where deployment architecture permits

Evidence notes

Vulnerability confirmed through official NVD record with CPE criteria specifying affected versions through 2.12.3. Patch commit 78faf2ca8b897141ba4d337d75692ab8e405bd4e addresses the sanitization issue. Third-party advisory from VulnCheck provides additional technical context. CWE-79 (Improper Neutralization of Input During Web Page Generation) classified as secondary weakness source.

Official resources

2026-04-06