CVE-2026-33739 PUBLISHED

FOG has Stored XSS in Multiple Management Pages

Assigner: GitHub_M
Reserved: 23.03.2026 Published: 27.03.2026 Updated: 27.03.2026

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages (Host, Storage, Group, Image, Printer, Snapin) are vulnerable to Stored Cross-Site Scripting (XSS), due to insufficient server-side parameter sanitization in record creations/updates and a lack of HTML escaping in listing tables. Version 1.5.10.1812 patches the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L
CVSS Score: 5.7

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	FOGProject
Product	fogproject
Versions	Version < 1.5.10.1812 is affected

References

https://github.com/FOGProject/fogproject/security/advisories/GHSA-8m2f-4x7g-p8f3

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE