CVE-2026-33739

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33739
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33739.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33739
Aliases
  • GHSA-8m2f-4x7g-p8f3
Published
2026-03-27T19:45:12.642Z
Modified
2026-04-10T05:42:55.780937Z
Severity
  • 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L CVSS Calculator
Summary
FOG has Stored XSS in Multiple Management Pages
Details

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages (Host, Storage, Group, Image, Printer, Snapin) are vulnerable to Stored Cross-Site Scripting (XSS), due to insufficient server-side parameter sanitization in record creations/updates and a lack of HTML escaping in listing tables. Version 1.5.10.1812 patches the issue.

Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33739.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/fogproject/fogproject

Affected ranges

Type
GIT
Repo
https://github.com/fogproject/fogproject
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
08f92867c6733c5000ffc19b64e57057a7c84dbe
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.5.10.1812"
        }
    ]
}

Affected versions

1.*
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.5.10.1565
1.5.10.1566
1.5.10.1593
1.5.10.1615
1.5.10.1622
1.5.10.1629
1.5.10.1634
1.5.10.1639
1.5.10.1650
1.5.10.1655
1.5.10.1660
1.5.10.1667
1.5.10.1673
1.5.10.1698
1.5.10.1721
1.5.10.1733
1.5.10.1734
1.5.10.1751
1.5.10.1754
1.5.10.1763
1.5.10.1798
1.5.10.41
1.5.10.48
1.5.10.74

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33739.json"