PatchSiren

OCS Inventory CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM OCS Inventory CVE published 2026-04-06

CVE-2026-22675

A stored cross-site scripting (XSS) vulnerability in OCS Inventory NG Server allows unauthenticated attackers to inject malicious JavaScript via crafted User-Agent HTTP headers submitted to the /ocsinventory endpoint. The vulnerability affects versions 2.12.3 and prior. The malicious payload is stored without adequate sanitization and rendered with insufficient encoding in the web console's statistics das [truncated]