CVE-2026-33739 MEDIUM

CVE-2026-33739: FOG has Stored XSS in Multiple Management Pages

Vendor Fogproject
Product fogproject
Weakness CWE-79 · XSS
Published March 27, 2026
Last update March 27, 2026

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L

What the vulnerability does

01Description

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages (Host, Storage, Group, Image, Printer, Snapin) are vulnerable to Stored Cross-Site Scripting (XSS), due to insufficient server-side parameter sanitization in record creations/updates and a lack of HTML escaping in listing tables. Version 1.5.10.1812 patches the issue.

Key dates

02Disclosure timeline

March 27, 2026 CVE published
March 27, 2026 Record updated