{"id":"CVE-2026-33739","summary":"FOG has Stored XSS in Multiple Management Pages","details":"FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages (Host, Storage, Group, Image, Printer, Snapin) are vulnerable to Stored Cross-Site Scripting (XSS), due to insufficient server-side parameter sanitization in record creations/updates and a lack of HTML escaping in listing tables. Version 1.5.10.1812 patches the issue.","aliases":["GHSA-8m2f-4x7g-p8f3"],"modified":"2026-04-10T05:42:55.780937Z","published":"2026-03-27T19:45:12.642Z","database_specific":{"cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33739.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33739.json"},{"type":"ADVISORY","url":"https://github.com/FOGProject/fogproject/security/advisories/GHSA-8m2f-4x7g-p8f3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33739"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fogproject/fogproject","events":[{"introduced":"0"},{"fixed":"08f92867c6733c5000ffc19b64e57057a7c84dbe"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.5.10.1812"}]}}],"versions":["1.3.0","1.3.1","1.3.2","1.3.3","1.3.4","1.3.5","1.5.10.1565","1.5.10.1566","1.5.10.1593","1.5.10.1615","1.5.10.1622","1.5.10.1629","1.5.10.1634","1.5.10.1639","1.5.10.1650","1.5.10.1655","1.5.10.1660","1.5.10.1667","1.5.10.1673","1.5.10.1698","1.5.10.1721","1.5.10.1733","1.5.10.1734","1.5.10.1751","1.5.10.1754","1.5.10.1763","1.5.10.1798","1.5.10.41","1.5.10.48","1.5.10.74"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33739.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L"}]}