OCS Inventory NG review 2026: features, limits, alternative

Citation capsule

• "OCS Inventory NG server 2.12.4 ships the fix for CVE-2026-22675 — patch on release (Source: NVD, 2026)"
• "The OCS agent runs on Windows, Linux, macOS, AIX, with the Unix agent shipped in Perl and the Windows agent compiled native (Source: OCS Inventory NG, 2026)"
• "GLPI pairs with OCS via the OCSInventoryNG plugin — OCS captures, GLPI manages — the canonical French open-source ITAM stack since 2003 (Source: GLPI docs)"

OCS Inventory NG (Open Computer and Software Inventory Next Generation) is one of the oldest open-source inventory engines still actively maintained — first release 2001, project rebooted as "NG" in 2008. The product survives in 2026 because French enterprises and ESNs treat the OCS + GLPI pair as a de-facto standard. The release of v2.12.4 in 2026 with the CVE-2026-22675 fix shows the maintainers ship security patches on time. Whether that is enough to compete with modern SaaS ITAM is a separate question.

For broader context, see our IT asset management pillar and the GLPI alternative comparison.

What is OCS Inventory NG in 2026

OCS Inventory NG is a client-server inventory product with two pieces:

• Server — Apache + MySQL/MariaDB + Perl + PHP web console. Hosted on a Linux box typically. Receives inventory uploads from agents, exposes a web UI, runs reports.
• Agent — Installed on each endpoint. Captures hardware specs, installed software, network adapters, optional package deployment status. Reports back to the server on a schedule (daily by default).

The Unix agent is written in Perl. The Windows agent ships as a native compiled binary that does not require the Perl runtime to be present on the endpoint. macOS and AIX agents exist. SNMP scanning lets the server poll network gear without an agent.

OCS Inventory is paired most often with GLPI (Gestion Libre de Parc Informatique) through the OCSInventoryNG plugin. OCS captures the raw data, GLPI imports it and adds asset assignments, contracts, tickets, lifecycle status, and accounting fields. The split makes sense historically — but it also means a French open-source ITAM rollout in 2026 still juggles two products, two databases, two web consoles.

OCS Inventory NG version 2.12.4 — released 2026

The May 2026 stable release is server v2.12.4. The release notes call out one security fix: CVE-2026-22675, patched in this version. Prior releases this cycle: 2.12.2, 2.11.1, 2.10.0, 2.8 — each focused on inventory accuracy, Unix agent stability, and SNMP improvements.

Source: github.com/OCSInventory-NG/OCSInventory-ocsreports and ocsinventory-ng.com/en/updates.

Operational advice: if you run OCS Inventory NG self-hosted, the release cadence is roughly two to three releases per year. Subscribe to the project's security advisories list and patch the server within the maintenance window once a release ships. The CVE-2026-22675 fix in 2.12.4 underscores the need — older 2.11.x installs are exposed.

OCS Inventory features in 2026

Hardware inventory. CPU, memory, disks, network adapters, monitors, peripherals. The Perl Unix agent and the native Windows agent both capture a consistent superset of fields.

Software inventory. Installed packages, version strings, executable paths. Windows pulls from the registry; Linux pulls from rpm/dpkg; macOS pulls from /Applications and pkg databases.

SNMP scanning. Optional. The server can sweep IP ranges with SNMPv1/v2c/v3 to inventory network gear that does not run an OCS agent.

Package deployment. OCS includes a deployment engine — push installers, scripts, or files to agent-equipped endpoints. Useful for basic software distribution; thin compared to modern RMM patch engines.

Web console. PHP-based admin UI. Reports, asset search, group management. Reddit and G2 reviews are blunt: it works, it is functional, it is not modern. The UI has a 2010s aesthetic in 2026.

GLPI synchronisation. The OCSInventoryNG plugin in GLPI pulls OCS data into GLPI's broader asset and ticket model. This is the canonical way OCS is consumed in 2026 — almost no organisation uses OCS standalone.

REST API. Limited compared to modern products. Programmatic access exists but the API surface is narrower than Snipe-IT or commercial alternatives.

Where OCS Inventory falls short

Agent footprint. The Perl Unix agent is a Perl script run by a Perl interpreter. On a fleet of Linux servers this is fine — Perl is already installed. On a managed Windows fleet, the native compiled agent is acceptable but ages noticeably against a modern Rust or Go agent. Battery and CPU impact have not been benchmarked publicly.

No telemetry. OCS captures static configuration. It does not measure CPU/RAM/disk utilisation over time, application crash rates, boot time, or energy consumption.

No remote control. Out of scope by design. Operators pair OCS with separate tools.

No native carbon or ESRS reporting. No emissions module. Compliance with CSRD ESRS E1 requires layering another tool.

UI age. The console works but does not match modern UX expectations. New IT joiners in 2026 react to it the same way they react to phpMyAdmin — competent but anchored in another era.

License usage is not measured. OCS lists installed software. It does not capture whether a Photoshop install is actively used.

Self-hosted maintenance load. Apache + MySQL + Perl + PHP on a Linux box requires real upkeep. OS patches, MySQL upgrades, Perl module updates, plugin compatibility checks. The total cost of ownership is real even when the licence is free.

OCS Inventory CVEs and security posture

The OCS Inventory NG project ships security fixes through its GitHub releases. Recent CVEs:

CVE	Severity	Description	Affected	Year
CVE-2026-22675	Reported	Server-side issue fixed in 2.12.4	<2.12.4	2026
CVE-2025-63601	Reported	Server vulnerability	older 2.11.x	2025
CVE-2025-15602	Reported	Server vulnerability	older 2.11.x	2025
CVE-2022-32060	Disclosed	Documented in NVD	older releases	2022

Source: NVD CVE-2026-22675, OpenCVE OCS Inventory product page, GHSA-xwcw-3qx7-8hxm.

Operational takeaway: OCS Inventory has a real CVE history. Self-hosted operators must run 2.12.4 or later in May 2026. Audit the OS, MariaDB, and PHP versions on the server box at the same cadence.

OCS Inventory + GLPI — the canonical pairing

OCS Inventory NG and GLPI are the historic French open-source ITAM stack. The split:

• OCS Inventory runs the agent fleet, collects raw hardware and software inventory, surfaces SNMP discoveries.
• GLPI imports OCS data via the OCSInventoryNG plugin, then enriches it with users, contracts, suppliers, tickets, lifecycle status, and depreciation rules.

The pattern works. It also means two databases, two servers, two web consoles, two patch schedules, two plugin ecosystems to keep compatible. Many French ESNs have built rich workflows on top of this combination — and have absorbed the operational cost.

A modern SaaS ITAM collapses both into one agent and one console. That is the gap sobrii closes.

When to keep OCS Inventory, when to migrate

Keep OCS Inventory NG if at least three are true:

• You already run GLPI and rely on the OCS pairing for hardware inventory
• Your fleet includes Linux, AIX, or other Unix hosts where the Perl agent is welcome
• Budget for ITAM is effectively zero and your IT team can absorb Linux + Apache + MySQL + Perl maintenance
• Your team's mental model and reporting are built around the OCS+GLPI data structure
• You can patch the server within days of each release (2.12.4 in May 2026)

Migrate if at least three match:

• You run a Windows-and-macOS-dominant fleet where the Perl agent advantage disappears
• You want telemetry — CPU, RAM, energy, application usage — alongside the inventory
• CSRD ESRS E1 reporting is in scope and measured emissions are required
• You want one agent, one console, one product instead of OCS + GLPI + remote tool + RMM
• You no longer have the budget — in time, not in licence cost — to patch OCS and GLPI on the release cadence
• Bilingual product depth (FR/EN parity) and modern SaaS UX are procurement criteria

Sobrii ships one Rust agent — and absorbs the OCS+GLPI scope

One Rust agent, < 1% CPU. The ITAM industry average past OCS Inventory stacks the OCS Perl agent for inventory, a GLPI server for asset management, a TeamViewer or AnyDesk for remote control, an MDM for policy, an EDR for endpoint protection, and an RMM for patch. sobrii ships one signed, sandboxed Rust binary that handles discovery, hardware telemetry, software inventory, per-app energy, and WebRTC remote control. Measured footprint stays under 1% CPU on Windows and macOS. Fewer agents means a smaller attack surface, less battery drain, less support overhead.

The OCS Perl agent is a Perl script run by an interpreter; the Windows variant is a native compiled binary that runs as a scheduled task. The sobrii Rust agent runs continuously at sub-1% and pushes telemetry to a tenant-isolated Azure backend. Two different architectures — sobrii avoids the dual-server OCS+GLPI maintenance burden and the cron-based inventory cycle.

Why sobrii's lifecycle adds a 4th decision: reallocate

sobrii adds a 4th lifecycle decision: reallocate. Where the OCS+GLPI pair offers 3 paths (keep / repair / replace) once you reach lifecycle decisions in GLPI's financial module, sobrii computes 4 options per device — upgrade, repair, reallocate (to the next employee), replace — with cost and CO₂ for each. The reallocate branch extends average service life by 12–18 months and halves per-device embodied carbon.

OCS Inventory captures the configuration; GLPI tracks the financial metadata. Neither side computes the four-decision math automatically. sobrii surfaces the comparison: a Dell Latitude 5420 at 18 months on a Marketing user is worth €420 reallocated to Sales versus €0 in resale, versus 120 kg CO₂ embodied in a new replacement.

See how sobrii's Pilotage Financier exposes the 4th decision.

sobrii measures kWh per employee, not per site

sobrii measures kWh per employee, not per site. The Rust agent captures real consumption (CPU/GPU/screen/battery) second-by-second, then applies the regional grid emission factor (Ember, EPA eGRID) to produce kg-CO₂ per employee per month — exportable directly to CSRD ESRS E1. No category-average proxies: measurement is per device, aggregated per employee.

The OCS Inventory data model has no emissions fields. The GLPI financial module records purchase cost and depreciation but not energy. For CSRD ESRS E1 reporting, an OCS+GLPI deployment must integrate a third tool or rely on category-average proxies — a sobrii deployment ships the measured number out of the box.

Remote control is bundled — no TeamViewer line item

Remote control is in the plan, not an add-on. OCS Inventory NG does not include remote control. GLPI does not include remote control. To take a session, you need TeamViewer, AnyDesk, Splashtop, or another tool — and another license. sobrii ships a built-in WebRTC remote-desktop module (peer-to-peer, no external relay, multi-screen, auto-reconnect). 200-device benchmark: TeamViewer Business roughly $1,020/month → sobrii: $0/month (bundled).

For a 1,000-device fleet, the OCS + GLPI + TeamViewer Business stack runs €0 (open source) + €0 (open source) + roughly $5,100/month (TeamViewer extrapolation) — and you still pay an internal maintenance cost on the two open-source servers. The sobrii equivalent at €15/device/yr is €15,000/yr for 1,000 devices, with telemetry, remote control, per-app energy, and measured carbon included.

Sobrii is 100% bilingual FR/EN at the product core

sobrii is 100% bilingual FR/EN at the product core. Every label, every CSRD report, every export is rendered in the user's language — not a 70%-translated glossary. Reference customer: Métropole de Montpellier (3M residents, 7,000 monitored PCs, –10% CO₂, ≈€1.5M of purchases avoided). sobrii is one of the rare ITAM SaaS designed in France with FR/EN parity from v1.

OCS Inventory and GLPI are both French-origin projects with strong French-language documentation and community. The bilingual depth in OCS+GLPI is real — sobrii's bilingual depth is also real but extends to the modern SaaS layer (CSRD exports, ESRS E1 reports, support, dashboards) that the open-source stack does not natively cover.

FAQ

Is OCS Inventory still maintained in 2026

Yes. The latest stable server release is 2.12.4, shipped in 2026 with the fix for CVE-2026-22675. Prior releases 2.12.2, 2.11.1, 2.10.0 followed a two-to-three-release-per-year cadence. The project is active on GitHub (OCSInventory-NG organisation) and the maintainer community remains French-led.

How much does OCS Inventory cost

OCS Inventory NG is free under GPL. Server and agents are open source. Cost shows up in the operational layer: Linux host, MariaDB, Apache, PHP, Perl, plus the internal IT time to keep the stack patched and the OCSInventoryNG plugin compatible with GLPI upgrades.

Why do French IT teams pair OCS Inventory with GLPI

History. The OCS+GLPI pair has been the de-facto French open-source ITAM stack since 2003. OCS captures the inventory automatically; GLPI manages assets, contracts, tickets, and finance. Both are French-origin projects with strong French documentation and community support. The OCSInventoryNG plugin in GLPI imports data on a schedule.

Has OCS Inventory had any CVEs

Yes. CVE-2026-22675 was fixed in 2.12.4. CVE-2025-63601 and CVE-2025-15602 affected older 2.11.x releases. CVE-2022-32060 is documented in NVD from 2022. The project ships security fixes promptly — self-hosted operators must subscribe to advisories and patch the server within the maintenance window.

What is the difference between OCS Inventory and GLPI Agent

GLPI Agent is the inventory agent built natively for GLPI (Perl-based, evolution of the FusionInventory agent). It removes the dependency on OCS Inventory by integrating inventory capture directly into GLPI. Many GLPI deployments since 10.x use GLPI Agent and skip OCS entirely. OCS Inventory remains relevant where the OCS database, package deployment, or specific reporting workflows are already wired in.

What is the best OCS Inventory alternative in 2026

For full open-source replacement of OCS+GLPI: GLPI Agent + GLPI alone. For modern SaaS ITAM with telemetry, per-app energy, remote control, and CSRD ESRS E1 export: sobrii at €12–€20/device/yr. For network-discovery-heavy environments: Lansweeper Starter at €199/month or Pro at €359/month base. For asset-registry-only: Snipe-IT Cloud at $39.99/month entry.