-
-
Notifications
You must be signed in to change notification settings - Fork 236
Expand file tree
/
Copy pathCVE-2026-42086.yml
More file actions
35 lines (30 loc) · 1.34 KB
/
Copy pathCVE-2026-42086.yml
File metadata and controls
35 lines (30 loc) · 1.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
---
gem: openc3
cve: 2026-42086
ghsa: ffq5-qpvf-xq7x
url: https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x
title: OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender
date: 2026-04-22
description: |
### Summary
The Command Sender UI uses an unsafe `eval()` function on array-like
command parameters, which allows a user-supplied payload to execute
in the browser when sending a command. This creates a self-XSS risk
because an attacker can trigger their own script execution in the
victim’s session, if allowed to influence the array parameter input,
for example via phishing. If successful, an attacker may read or
modify data in the authenticated browser context, including session
tokens in local storage.
### Details
The unsafe `eval()` usage on user-supplied ARRAY parameters happens
in `convertToValue` method in [CommandSender.vue](https://github.com/OpenC3/cosmos/blob/main/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-cmdsender/src/tools/CommandSender/CommandSender.vue)
### Impact
Local JavaScript execution in the user's browser.
cvss_v3: 4.6
patched_versions:
- ">= 7.0.0"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2026-42086
- https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x
- https://github.com/advisories/GHSA-ffq5-qpvf-xq7x