CVE-2026-22675 is a stored cross-site scripting vulnerability in OCS Inventory NG Server (version 2.12.3 and prior). It arises from improper neutralization of input during web page generation (CWE-79). Attackers can submit malicious User-Agent HTTP headers to the /ocsinventory endpoint, which are stored and later rendered unsafely in the web console's statistics dashboard. This enables execution of arbitrary JavaScript in browsers of authenticated users who view the dashboard. The vulnerability requires no authentication for the initial attack vector but impacts users with dashboard access. The CVSS 4.0 score is 5.1, indicating medium severity. No patch or official remediation level has been published, and the product is not a cloud service.

The vulnerability allows unauthenticated attackers to inject and store malicious JavaScript via User-Agent headers, which is then executed in the context of authenticated users' browsers when they access the statistics dashboard. This can lead to session hijacking, unauthorized actions, or other attacks leveraging the victim's browser privileges within the OCS Inventory NG Server web console. However, exploitation requires the victim to be an authenticated user viewing the affected dashboard. There are no known active exploits reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the OCS Inventory NG Server web console to trusted users only. Consider implementing web application firewall (WAF) rules to detect and block suspicious User-Agent headers. Monitor for unusual activity related to the statistics dashboard. Avoid exposing the dashboard to untrusted networks or users. Follow vendor updates closely for any forthcoming patches or official mitigations.