FOG Project Flaw: Stored XSS Lurks in Management Tables
CVE Notify is flagging a Stored Cross-Site Scripting (XSS) vulnerability impacting earlier versions of the popular FOG Project, a free open-source suite for cloning, imaging, and inventory management. The vulnerability, identified as CVE-2026-33739, resides within the listing tables on several key management pages, including Host, Storage, Group, Image, Printer, and Snapin.
According to CVE Notify, the root cause stems from insufficient server-side sanitization of parameters during record creation and updates, coupled with a failure to properly escape HTML within the listing tables themselves. This combination allows attackers to inject malicious scripts that are then stored and served to other users accessing these management interfaces, potentially leading to session hijacking or unauthorized actions.
The good news is that FOG Project has addressed this gaping hole. CVE Notify points out that version 1.5.10.1812 has been released specifically to patch this XSS flaw. Staying on older, unpatched versions of FOG Project leaves your environment exposed to these types of attacks.
What This Means For You
- Immediately verify and update all FOG Project instances to version 1.5.10.1812 or later to remediate the reported Stored XSS vulnerability, ensuring that administrative interfaces are properly secured against script injection.
Related ATT&CK Techniques
๐ก๏ธ Detection Rules
1 rule ยท 6 SIEM formats1 detection rule mapped to MITRE ATT&CK. Free Sigma YAML below.
Web Application Exploitation Attempt โ CVE-2026-33739
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33739 | XSS | FOG Project, versions prior to 1.5.10.1812, Host management page, Storage management page, Group management page, Image management page, Printer management page, Snapin management page, vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient server-side parameter sanitization and lack of HTML escaping. |
Related coverage
Daily Security Digest โ 2026-05-22
13 vulnerability disclosures (5 Critical, 8 High) and 14 curated intelligence stories from 6 sources.
WordPress Ditty Plugin: Authorization Bypass Exposes Non-Public Content
CVE-2026-9011 โ The Ditty โ Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and...
CVE-2026-8692 โ The Vedrixa Forms โ User Registration Form, Signup Form &
CVE-2026-8692 โ The Vedrixa Forms โ User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass...