FOG Project Flaw: Stored XSS Lurks in Management Tables
CVE Notify is flagging a Stored Cross-Site Scripting (XSS) vulnerability impacting earlier versions of the popular FOG Project, a free open-source suite for cloning, imaging, and inventory management. The vulnerability, identified as CVE-2026-33739, resides within the listing tables on several key management pages, including Host, Storage, Group, Image, Printer, and Snapin.
According to CVE Notify, the root cause stems from insufficient server-side sanitization of parameters during record creation and updates, coupled with a failure to properly escape HTML within the listing tables themselves. This combination allows attackers to inject malicious scripts that are then stored and served to other users accessing these management interfaces, potentially leading to session hijacking or unauthorized actions.
The good news is that FOG Project has addressed this gaping hole. CVE Notify points out that version 1.5.10.1812 has been released specifically to patch this XSS flaw. Staying on older, unpatched versions of FOG Project leaves your environment exposed to these types of attacks.
What This Means For You
- Immediately verify and update all FOG Project instances to version 1.5.10.1812 or later to remediate the reported Stored XSS vulnerability, ensuring that administrative interfaces are properly secured against script injection.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33739 | XSS | FOG Project, versions prior to 1.5.10.1812, Host management page, Storage management page, Group management page, Image management page, Printer management page, Snapin management page, vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient server-side parameter sanitization and lack of HTML escaping. |
๐ Recommended Tools
Found this interesting? Follow us to stay ahead.