CVE-2026-23518

Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not...

GHSA-GFPW-JGVR-CW4J Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability

Summary A cross-site scripting XSS vulnerability in Fleet’s Windows MDM authentication flow could allow an attacker to compromise a Fleet user account. In certain cases, this could lead to administrative access and the ability to perform privileged actions on managed devices. Impact If Windows MD...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the Windows MDM. An attacker can obtain authentication tokens and gain administrative access by convincing an authenticated user to visit a crafted link. This is only exploitable if Windows MDM is enabled...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the Windows MDM. An attacker can obtain authentication tokens and gain administrative access by convincing an authenticated user to visit a crafted link. This is only exploitable if Windows MDM is enabled...

PT-2026-3748

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.78.2 Fleet versions 4.53.3 through 4.77.1 Fleet versions 4.75.2 Fleet versions 4.76.2 Description Fleet, an open-source device management software, contains a cross-site scripting XSS flaw in its Windows MDM...