PYSEC-2026-105
Vulnerability from pysec - Published: 2026-05-04 18:16 - Updated: 2026-05-20 09:19
VLAI
Details
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage. This issue has been patched in version 7.0.0.
Severity
4.6 (Medium)
Impacted products
| Name | purl | openc3 | pkg:pypi/openc3 |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "openc3",
"purl": "pkg:pypi/openc3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.1.0",
"5.10.0",
"5.10.1",
"5.11.0",
"5.11.1",
"5.11.2",
"5.11.3",
"5.12.0",
"5.13.0",
"5.14.0",
"5.14.1",
"5.14.2",
"5.15.0",
"5.15.1",
"5.15.2",
"5.16.0",
"5.16.1",
"5.16.2",
"5.17.0",
"5.17.1",
"5.18.0",
"5.19.0",
"5.20.0",
"5.9.2b0",
"6.0.0",
"6.0.1",
"6.0.2",
"6.1.0",
"6.10.0",
"6.10.1",
"6.10.2",
"6.10.3",
"6.10.4",
"6.10.5",
"6.10.6",
"6.2.0",
"6.2.1",
"6.3.0",
"6.4.0",
"6.4.1",
"6.4.2",
"6.5.0",
"6.5.1",
"6.6.0",
"6.7.0",
"6.8.0",
"6.8.1",
"6.9.0",
"6.9.1",
"6.9.2",
"7.0.0rc2",
"7.0.0rc3"
]
}
],
"aliases": [
"CVE-2026-42086",
"GHSA-ffq5-qpvf-xq7x"
],
"details": "OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim\u2019s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage. This issue has been patched in version 7.0.0.",
"id": "PYSEC-2026-105",
"modified": "2026-05-20T09:19:10.269368Z",
"published": "2026-05-04T18:16:30.667Z",
"references": [
{
"type": "EVIDENCE",
"url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
CVE-2026-42086 (GCVE-0-2026-42086)
Vulnerability from cvelistv5 – Published: 2026-05-04 17:15 – Updated: 2026-05-04 19:47
VLAI
Title
OpenC3 COSMOS: Self-XSS in the Command Sender
Summary
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage. This issue has been patched in version 7.0.0.
Severity
4.6 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/OpenC3/cosmos/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42086",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T19:46:44.788122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T19:47:16.828Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cosmos",
"vendor": "OpenC3",
"versions": [
{
"status": "affected",
"version": "\u003c 7.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim\u2019s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage. This issue has been patched in version 7.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T17:15:59.239Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x"
}
],
"source": {
"advisory": "GHSA-ffq5-qpvf-xq7x",
"discovery": "UNKNOWN"
},
"title": "OpenC3 COSMOS: Self-XSS in the Command Sender"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42086",
"datePublished": "2026-05-04T17:15:59.239Z",
"dateReserved": "2026-04-23T19:17:30.566Z",
"dateUpdated": "2026-05-04T19:47:16.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
GHSA-FFQ5-QPVF-XQ7X
Vulnerability from github – Published: 2026-04-22 22:22 – Updated: 2026-05-29 21:46
VLAI
Summary
OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender
Details
Summary
The Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage.
Details
The unsafe eval() usage on user-supplied ARRAY parameters happens in convertToValue method in CommandSender.vue
PoC
- Using a drop-down form, choose any command that supports ARRAY parameters,
- Inside square brackets “[…]” place a JavaScript code to be executed
- Send command to CmdTlmServer using dedicated “Send” button
- Observe JavaScript code being executed in the current browser session context
Below example uses INST ARYCMD to execute simple JavaScript code snippet alert(“XSS”).
Impact
Local JavaScript execution in the user's browser
Severity
4.6 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "openc3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "openc3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42086"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-22T22:22:28Z",
"nvd_published_at": "2026-05-04T18:16:30Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe Command Sender UI uses an unsafe `eval()` function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim\u2019s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage.\n\n### Details\nThe unsafe `eval()` usage on user-supplied ARRAY parameters happens in `convertToValue` method in [CommandSender.vue](https://github.com/OpenC3/cosmos/blob/main/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-cmdsender/src/tools/CommandSender/CommandSender.vue)\n\n### PoC\n1.\tUsing a drop-down form, choose any command that supports ARRAY parameters,\n2.\tInside square brackets \u201c[\u2026]\u201d place a JavaScript code to be executed\n3.\tSend command to CmdTlmServer using dedicated \u201cSend\u201d button \n4.\tObserve JavaScript code being executed in the current browser session context\n\nBelow example uses `INST ARYCMD` to execute simple JavaScript code snippet `alert(\u201cXSS\u201d)`.\n\u003cimg width=\"947\" height=\"356\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6fbdb6c9-616a-4268-bbb8-a8a1044437ad\" /\u003e\n\n\u003cimg width=\"942\" height=\"545\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4df24353-aea0-4aa0-adcf-b7c7e387dc83\" /\u003e\n\n### Impact\nLocal JavaScript execution in the user\u0027s browser",
"id": "GHSA-ffq5-qpvf-xq7x",
"modified": "2026-05-29T21:46:39Z",
"published": "2026-04-22T22:22:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42086"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenC3/cosmos"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/openc3/PYSEC-2026-105.yaml"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/openc3/CVE-2026-42086.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…