8 matches found
CVE-2026-24899
Fleet is open source device management software. Prior to version 4.82.0, a vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. Because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not...
CVE-2026-24899 Fleet Windows MDM Azure AD JWT Authentication Bypass
Fleet is open source device management software. Prior to version 4.82.0, a vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. Because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not...
Exposure of Data Element to Wrong Session
Overview Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session in the MDM command processing while handling SyncML status code. An attacker can obtain sensitive configuration data belonging to other devices such as WiFi credentials, VPN secrets, and...
PT-2026-6511
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability in github.com/fleetdm/fleet...
CVE-2026-22808
CVE-2026-22808 describes a Cross-site Scripting (XSS) vulnerability in Fleet Windows MDM endpoint (fleetdm/fleet). If Windows MDM is enabled, an unauthenticated attacker could trigger XSS to steal the Fleet administrator token (FLEET::auth_token) from localStorage, potentially enabling unauthoriz...
CVE-2026-22808 Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability
fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token FLEET::authtoken from localStorage...
CVE-2026-22808 Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability
fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token FLEET::authtoken from localStorage...
GHSA-GFPW-JGVR-CW4J Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability
Summary A cross-site scripting XSS vulnerability in Fleet’s Windows MDM authentication flow could allow an attacker to compromise a Fleet user account. In certain cases, this could lead to administrative access and the ability to perform privileged actions on managed devices. Impact If Windows MD...