CVE-2026-22675 Overview
OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft requests with malicious User-Agent values that are stored without sanitation and rendered with insufficient encoding in the web console, leading to arbitrary JavaScript execution in the browsers of authenticated users viewing the statistics dashboard.
Critical Impact
Unauthenticated attackers can inject malicious JavaScript that executes in the context of authenticated administrators viewing the OCS Inventory web console, potentially leading to session hijacking, credential theft, or administrative actions performed on behalf of the attacker.
Affected Products
- OCS Inventory NG Server versions up to and including 2.12.3
- OCS Inventory Server installations with exposed /ocsinventory endpoints
- Systems allowing agent registration without strict input validation
Discovery Timeline
- April 6, 2026 - CVE-2026-22675 published to NVD
- April 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-22675
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) exists due to improper input validation and output encoding in OCS Inventory NG Server. The application accepts HTTP requests at the /ocsinventory endpoint where agents register and report inventory data. The User-Agent HTTP header value from these requests is stored in the database without proper sanitization.
When administrators access the statistics dashboard through the web console, the stored User-Agent values are retrieved and rendered in the HTML response. Due to insufficient output encoding, any JavaScript code embedded in the User-Agent header is executed in the browser context of the authenticated user viewing the dashboard.
The attack is particularly dangerous because it requires no authentication to inject the payload—any entity capable of sending HTTP requests to the /ocsinventory endpoint can plant malicious scripts. The payload then executes when a privileged user views the affected dashboard, creating an indirect attack vector that bridges unauthenticated network access to authenticated administrative sessions.
Root Cause
The root cause of this vulnerability is twofold: first, the application fails to sanitize the User-Agent HTTP header upon ingestion, allowing arbitrary string content including script tags and JavaScript payloads to be stored in the database. Second, when displaying agent information in the web console, the application does not properly encode or escape the stored User-Agent values before inserting them into HTML content, allowing the browser to interpret the malicious content as executable code rather than display text.
Attack Vector
The attack leverages the network-accessible /ocsinventory endpoint which is designed to receive inventory data from OCS agents. An attacker crafts HTTP requests with malicious JavaScript embedded in the User-Agent header. These requests can mimic legitimate agent check-ins or registration attempts. The malicious payload is persisted to the database and lies dormant until an authenticated administrator views the statistics or agent listing page, at which point the JavaScript executes in their browser session.
The attacker can use this execution context to steal session cookies, perform actions as the administrator, exfiltrate sensitive inventory data, or inject additional malicious content into the application. Since the payload is stored, it can affect multiple administrators who view the compromised dashboard.
Detection Methods for CVE-2026-22675
Indicators of Compromise
- Unusual or suspicious User-Agent strings in OCS Inventory database containing HTML tags, <script> elements, or JavaScript event handlers
- HTTP requests to /ocsinventory endpoint with abnormally long or encoded User-Agent headers
- Database entries containing patterns like <script>, javascript:, onerror=, or onload= in agent-related fields
- Unexpected outbound connections from administrator workstations after viewing OCS Inventory dashboards
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block HTTP requests containing JavaScript or HTML in User-Agent headers
- Configure database monitoring to alert on insertion of records containing XSS payload patterns in User-Agent fields
- Deploy browser-based XSS detection through Content Security Policy (CSP) reporting to identify script execution from unexpected sources
- Review HTTP access logs for requests to /ocsinventory with anomalous User-Agent patterns
Monitoring Recommendations
- Enable logging of all User-Agent headers for requests to the /ocsinventory endpoint
- Implement real-time alerting for database writes containing potential XSS patterns in agent registration data
- Monitor administrator sessions for unusual activity patterns following dashboard access
- Deploy endpoint detection solutions on administrator workstations to identify suspicious browser behavior
How to Mitigate CVE-2026-22675
Immediate Actions Required
- Update OCS Inventory NG Server to the patched version that includes commit 78faf2ca8b897141ba4d337d75692ab8e405bd4e
- Review existing database records for malicious User-Agent entries and sanitize or remove suspicious content
- Implement network-level filtering to restrict access to the /ocsinventory endpoint to known, trusted agent IP ranges
- Enable Content Security Policy headers on the OCS Inventory web console to mitigate XSS impact
Patch Information
The vendor has released a fix through GitHub commit 78faf2ca8b897141ba4d337d75692ab8e405bd4e. The patch addresses the vulnerability by implementing proper input sanitization for User-Agent headers and ensuring appropriate output encoding when rendering agent data in the web console. Additional details about the fix can be found in GitHub Pull Request #483. The VulnCheck Security Advisory provides comprehensive information about this vulnerability.
Workarounds
- Deploy a reverse proxy or WAF in front of OCS Inventory Server to filter requests containing potential XSS payloads in headers
- Restrict network access to the /ocsinventory endpoint using firewall rules to allow only legitimate OCS agent IP addresses
- Implement strict Content Security Policy headers on the web console to prevent inline script execution
- Consider disabling the statistics dashboard temporarily until the patch can be applied
# Example: Apache mod_security rule to filter malicious User-Agent headers
SecRule REQUEST_HEADERS:User-Agent "@rx <script|javascript:|onerror=|onload=" \
"id:100001,phase:1,deny,status:403,msg:'Potential XSS in User-Agent blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
