{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33739", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.561Z", "datePublished": "2026-03-27T19:45:12.642Z", "dateUpdated": "2026-03-27T20:29:44.713Z"}, "containers": {"cna": {"title": "FOG has Stored XSS in Multiple Management Pages", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/FOGProject/fogproject/security/advisories/GHSA-8m2f-4x7g-p8f3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FOGProject/fogproject/security/advisories/GHSA-8m2f-4x7g-p8f3"}], "affected": [{"vendor": "FOGProject", "product": "fogproject", "versions": [{"version": "< 1.5.10.1812", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:45:12.642Z"}, "descriptions": [{"lang": "en", "value": "FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages (Host, Storage, Group, Image, Printer, Snapin) are vulnerable to Stored Cross-Site Scripting (XSS), due to insufficient server-side parameter sanitization in record creations/updates and a lack of HTML escaping in listing tables. Version 1.5.10.1812 patches the issue."}], "source": {"advisory": "GHSA-8m2f-4x7g-p8f3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T20:29:36.188874Z", "id": "CVE-2026-33739", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:29:44.713Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33739", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T20:29:36.188874Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:29:41.292Z"}}], "cna": {"title": "FOG has Stored XSS in Multiple Management Pages", "source": {"advisory": "GHSA-8m2f-4x7g-p8f3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "FOGProject", "product": "fogproject", "versions": [{"status": "affected", "version": "< 1.5.10.1812"}]}], "references": [{"url": "https://github.com/FOGProject/fogproject/security/advisories/GHSA-8m2f-4x7g-p8f3", "name": "https://github.com/FOGProject/fogproject/security/advisories/GHSA-8m2f-4x7g-p8f3", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages (Host, Storage, Group, Image, Printer, Snapin) are vulnerable to Stored Cross-Site Scripting (XSS), due to insufficient server-side parameter sanitization in record creations/updates and a lack of HTML escaping in listing tables. Version 1.5.10.1812 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:45:12.642Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33739", "state": "PUBLISHED", "dateUpdated": "2026-03-27T20:29:44.713Z", "dateReserved": "2026-03-23T17:34:57.561Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T19:45:12.642Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages (Host, Storage, Group, Image, Printer, Snapin) are vulnerable to Stored Cross-Site Scripting (XSS), due to insufficient server-side parameter sanitization in record creations/updates and a lack of HTML escaping in listing tables. Version 1.5.10.1812 patches the issue."}], "id": "CVE-2026-33739", "lastModified": "2026-03-30T13:26:29.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T20:16:33.423", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/FOGProject/fogproject/security/advisories/GHSA-8m2f-4x7g-p8f3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.5.10.1812)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "fogproject", "source": "cna", "vendor": "FOGProject"}, "product": "fogproject", "vendor": "fogproject"}], "analysis": {"en": {"generated_at": "2026-03-27T21:37:07.546303+00:00", "value": {"mitigation_remediation": ["Upgrade FogProject to version 1.5.10.1812 or later.", "If an upgrade is not possible, restrict or disable the affected management pages to prevent unauthenticated or untrusted users from creating or modifying records.", "Implement server\u2011side input validation and HTML escaping on all data entered via the web interface.", "Verify that no legacy data containing malicious content remains in the database; have administrators clear or sanitize existing entries."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting that can lead to session hijacking and data theft"}, "threat_synthesis": {"affected_systems": "FogProject fogproject installations running any version prior to 1.5.10.1812 are vulnerable. The issue affects the Host, Storage, Group, Image, Printer, and Snapin management interfaces in versions older than the patched release. Installing or upgrading to 1.5.10.1812 or newer mitigates the vulnerability.", "description_and_impact": "Stored Cross\u2011Site Scripting occurs when unsanitized input is stored and later rendered in HTML tables on several management pages of FogProject. An attacker with the ability to create or modify records can inject malicious scripts that are executed in the browsers of any user who views these pages. This can lead to credential theft, session hijacking, defacement, or the injection of other malicious content, impacting confidentiality and integrity. The weakness is a classic input validation flaw (CWE\u201179).", "risk_and_exploitability": "The CVSS base score of 5.7 indicates a moderate severity. No EPSS figure is reported, and the vulnerability is not listed in CISA's KEV catalog. The exploit requires authenticated web\u2011interface access to create or edit an object, after which any viewer of a table containing the injected payload can be impacted. Given the moderate score and lack of publicly known exploits, the risk is manageable but still significant for systems exposed to external users or shared environments."}}}}, "created": "2026-03-29T20:30:22.699327+00:00", "updated": "2026-03-30T07:00:36.980534+00:00", "vendors": ["fogproject", "fogproject$PRODUCT$fogproject"]}