CVE-2026-24138

Name of the Vulnerable Software and Affected Versions FOG versions 1.5.10.1754 and below

Description FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1754 and below contain an unauthenticated Server-Side Request Forgery (SSRF) condition in the getversion.php file. This can be triggered by providing a user-controlled URL parameter. The issue allows fetching both internal websites and files on the machine running FOG. The condition appears to be reachable without an authenticated web session when the request includes newService=1. The API endpoint involved is getversion.php and the vulnerable parameter is the URL parameter.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.