{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22808", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-09T22:50:10.288Z", "datePublished": "2026-01-21T21:18:26.283Z", "dateUpdated": "2026-01-22T16:50:28.717Z"}, "containers": {"cna": {"title": "Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j"}], "affected": [{"vendor": "fleetdm", "product": "fleet", "versions": [{"version": ">= 4.78.0, < 4.78.2", "status": "affected"}, {"version": ">= 4.77.0, < 4.77.1", "status": "affected"}, {"version": ">= 4.76.0, < 4.76.2", "status": "affected"}, {"version": "< 4.53.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-21T21:18:26.283Z"}, "descriptions": [{"lang": "en", "value": "fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM."}], "source": {"advisory": "GHSA-gfpw-jgvr-cw4j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T15:09:38.114321Z", "id": "CVE-2026-22808", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T16:50:28.717Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22808", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T15:09:38.114321Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T15:09:39.255Z"}}], "cna": {"title": "Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability", "source": {"advisory": "GHSA-gfpw-jgvr-cw4j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "fleetdm", "product": "fleet", "versions": [{"status": "affected", "version": ">= 4.78.0, < 4.78.2"}, {"status": "affected", "version": ">= 4.77.0, < 4.77.1"}, {"status": "affected", "version": ">= 4.76.0, < 4.76.2"}, {"status": "affected", "version": "< 4.53.3"}]}], "references": [{"url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j", "name": "https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-21T21:18:26.283Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22808", "state": "PUBLISHED", "dateUpdated": "2026-01-22T16:50:28.717Z", "dateReserved": "2026-01-09T22:50:10.288Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-21T21:18:26.283Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*", "matchCriteriaId": "58B2870D-823A-4862-A51B-B3F86C60D89B", "versionEndExcluding": "4.53.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*", "matchCriteriaId": "E363A7DF-0880-44B8-82A6-0192D1D43471", "versionEndExcluding": "4.75.2", "versionStartIncluding": "4.75.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*", "matchCriteriaId": "53B5B8B6-F8C9-45E2-A160-D5834B1F3D61", "versionEndExcluding": "4.76.2", "versionStartIncluding": "4.76.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2A64FBB-EFC6-4BB3-B9C7-0A3D754DCF25", "versionEndExcluding": "4.78.2", "versionStartIncluding": "4.78.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fleetdm:fleet:4.77.0:*:*:*:*:*:*:*", "matchCriteriaId": "AE525B6A-8AF1-4D33-8EE9-FFD6A1C4F3F8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM."}], "id": "CVE-2026-22808", "lastModified": "2026-02-18T15:31:03.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-21T22:15:49.233", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T04:10:57.182648+00:00", "value": {"mitigation_remediation": ["Upgrade Fleet to version 4.78.2 or later", "If an upgrade is not possible, disable Windows MDM to mitigate the XSS flaw", "Employ input validation and sanitization on the web UI to prevent future XSS exposures (CWE\u201179)"], "summary": {"action": "Immediate Patch", "impact": "Cross-site scripting leading to theft of authentication token"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in versions prior to 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 of the fleetdm:fleet product. Those installations with Windows MDM enabled are impacted; upgrading to any of the listed patched releases eliminates the risk.", "description_and_impact": "Fleet's open source device management software exposes an XSS flaw that, when Windows MDM is enabled, allows any unauthenticated attacker to inject malicious scripts into the web interface. The attacker can then steal the administrator\u2019s authentication token stored in the browser\u2019s localStorage, gaining full administrative access to the Fleet instance, including visibility into device data and the ability to modify configurations. This severity is reflected by a CWE\u201179 labeling of insecure input handling.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate risk, but the EPSS score of less than 1% shows that this vulnerability is unlikely to be actively exploited at present. The attacker requires no authentication and only needs the ability to load the affected web page; therefore, the attack vector is remote via the web UI. Because the flaw only affects systems with Windows MDM enabled, administrators who have disabled that feature are not exposed. The vulnerability is not currently listed in the CISA KEV catalog, so no known large\u2011scale exploitation has been reported."}}}}, "created": "2026-01-22T10:08:27.471179+00:00", "updated": "2026-04-18T04:15:05.878856+00:00", "vendors": ["fleetdm", "fleetdm$PRODUCT$fleet"]}