{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33739", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.561Z", "datePublished": "2026-03-27T19:45:12.642Z", "dateUpdated": "2026-03-27T20:29:44.713Z"}, "containers": {"cna": {"title": "FOG has Stored XSS in Multiple Management Pages", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/FOGProject/fogproject/security/advisories/GHSA-8m2f-4x7g-p8f3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FOGProject/fogproject/security/advisories/GHSA-8m2f-4x7g-p8f3"}], "affected": [{"vendor": "FOGProject", "product": "fogproject", "versions": [{"version": "< 1.5.10.1812", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:45:12.642Z"}, "descriptions": [{"lang": "en", "value": "FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages (Host, Storage, Group, Image, Printer, Snapin) are vulnerable to Stored Cross-Site Scripting (XSS), due to insufficient server-side parameter sanitization in record creations/updates and a lack of HTML escaping in listing tables. Version 1.5.10.1812 patches the issue."}], "source": {"advisory": "GHSA-8m2f-4x7g-p8f3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T20:29:36.188874Z", "id": "CVE-2026-33739", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:29:44.713Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33739", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T20:29:36.188874Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:29:41.292Z"}}], "cna": {"title": "FOG has Stored XSS in Multiple Management Pages", "source": {"advisory": "GHSA-8m2f-4x7g-p8f3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "FOGProject", "product": "fogproject", "versions": [{"status": "affected", "version": "< 1.5.10.1812"}]}], "references": [{"url": "https://github.com/FOGProject/fogproject/security/advisories/GHSA-8m2f-4x7g-p8f3", "name": "https://github.com/FOGProject/fogproject/security/advisories/GHSA-8m2f-4x7g-p8f3", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages (Host, Storage, Group, Image, Printer, Snapin) are vulnerable to Stored Cross-Site Scripting (XSS), due to insufficient server-side parameter sanitization in record creations/updates and a lack of HTML escaping in listing tables. Version 1.5.10.1812 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:45:12.642Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33739", "state": "PUBLISHED", "dateUpdated": "2026-03-27T20:29:44.713Z", "dateReserved": "2026-03-23T17:34:57.561Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T19:45:12.642Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fogproject:fogproject:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D148022-8558-4DA4-A10B-BD1FBD11662C", "versionEndExcluding": "1.5.10.1812", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages (Host, Storage, Group, Image, Printer, Snapin) are vulnerable to Stored Cross-Site Scripting (XSS), due to insufficient server-side parameter sanitization in record creations/updates and a lack of HTML escaping in listing tables. Version 1.5.10.1812 patches the issue."}], "id": "CVE-2026-33739", "lastModified": "2026-04-08T15:08:44.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-27T20:16:33.423", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/FOGProject/fogproject/security/advisories/GHSA-8m2f-4x7g-p8f3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.5.10.1812)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "fogproject", "source": "cna", "vendor": "FOGProject"}, "product": "fogproject", "vendor": "fogproject"}], "analysis": {"en": {"generated_at": "2026-04-08T16:53:54.356524+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading to FOGProject fogproject version\u202f1.5.10.1812 or later. If an immediate update is not possible, restrict administrative access to the affected pages and use a web application firewall or input\u2011validation controls to block script payloads."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting via FOG management pages"}, "threat_synthesis": {"affected_systems": "FOGProject\u2019s fogproject software is affected on all releases before 1.5.10.1812. The vulnerability appears on the Host, Storage, Group, Image, Printer and Snapin management pages, where new or edited records are displayed.", "description_and_impact": "The flaw is a stored cross\u2011site scripting vulnerability that arises from server\u2011side input not being sanitized and from the lack of HTML escaping when rendering records on multiple management pages. Data entered by an attacker is persisted in the database and subsequently executed in the browser of any logged\u2011in user who views the affected page, allowing the attacker to run arbitrary JavaScript. This can result in session hijacking, credential theft, or defacement of the FOG interface.", "risk_and_exploitability": "The CVSS score of 5.7 indicates moderate severity, while the EPSS score of less than 1\u202f% suggests a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access capable of creating or updating records, implying the attack vector is internal or privileged. Once injected, the malicious payload is stored and delivered to any user who visits the affected pages, providing a persistent exploitation vector for those with read\u2011access."}}}}, "created": "2026-03-29T20:30:22.699327+00:00", "updated": "2026-04-08T20:01:05.164239+00:00", "vendors": ["fogproject", "fogproject$PRODUCT$fogproject"]}