What is the CVSS score of EUVD-2026-16779?

EUVD-2026-16779 has a CVSS 3.1 base score of 5.7 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of Fogproject are affected by EUVD-2026-16779?

Organizations using FOG should be aware of moderate risk from CVE-2026-33739, a cross-site scripting vulnerability rated CVSS 5.7.. A patch is available.

How to fix or mitigate EUVD-2026-16779?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Fogproject EUVD-2026-16779

| CVE-2026-33739 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-03-27 security-advisories@github.com

XSS Fogproject

5.7

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.7 MEDIUM

AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

1.5.10.1812

EUVD ID Assigned

Mar 27, 2026 - 20:22 euvd

EUVD-2026-16779

Analysis Generated

Mar 27, 2026 - 20:22 vuln.today

CVE Published

Mar 27, 2026 - 20:16 nvd

MEDIUM 5.7

DescriptionGitHub Advisory

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages (Host, Storage, Group, Image, Printer, Snapin) are vulnerable to Stored Cross-Site Scripting (XSS), due to insufficient server-side parameter sanitization in record creations/updates and a lack of HTML escaping in listing tables. Version 1.5.10.1812 patches the issue.

AnalysisAI

Stored cross-site scripting (XSS) in FOG Project versions prior to 1.5.10.1812 allows authenticated high-privilege administrators to inject malicious scripts into management pages (Host, Storage, Group, Image, Printer, Snapin) through unsanitized record creation/update parameters, which are then executed when other administrators view the listing tables. The vulnerability requires administrative access and user interaction to trigger, resulting in potential session hijacking, credential theft, or lateral movement within the management interface.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	While the CVSS 5.7 score reflects the restricted attack surface (requires PR:H privileged access and UI:R user interaction), the real-world risk is notably elevated by the stored nature of the payload and the administrative context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A disgruntled or compromised administrator with high-privilege FOG account credentials creates a new Host record with a malicious payload injected into a text field (e.g., hostname or description field). The payload is stored unsanitized in the database. …
Remediation	Upgrade FOG Project to version 1.5.10.1812 or later, which patches the vulnerability by implementing server-side input sanitization and HTML escaping in listing table output. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-16779 vulnerability details – vuln.today

Back