CVE-2026-22808
MEDIUMfleetdm/fleet < 4.78.2 - Unauthenticated Stored XSS via Windows MDM
Title source: llmDescription
fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j
Scores
CVSS v3
5.4
EPSS
0.0021
EPSS Percentile
11.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (4)
fleetdm/fleet
4.77.0
fleetdm/fleet
< 4.53.3
fleetdm/fleet
0 - 4.43.5-0.20260111020427-0e6c790803d1Go
fleetdm/fleet
4.78.0 - 4.78.2Go
Published
Jan 21, 2026
Tracked Since
Feb 18, 2026