EUVD-2026-16779CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L
Lifecycle Timeline
3Tags
Description
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages (Host, Storage, Group, Image, Printer, Snapin) are vulnerable to Stored Cross-Site Scripting (XSS), due to insufficient server-side parameter sanitization in record creations/updates and a lack of HTML escaping in listing tables. Version 1.5.10.1812 patches the issue.
Analysis
Stored cross-site scripting (XSS) in FOG Project versions prior to 1.5.10.1812 allows authenticated high-privilege administrators to inject malicious scripts into management pages (Host, Storage, Group, Image, Printer, Snapin) through unsanitized record creation/update parameters, which are then executed when other administrators view the listing tables. The vulnerability requires administrative access and user interaction to trigger, resulting in potential session hijacking, credential theft, or lateral movement within the management interface.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today