{"id":"GHSA-ffq5-qpvf-xq7x","summary":"OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender","details":"### Summary\nThe Command Sender UI uses an unsafe `eval()` function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage.\n\n### Details\nThe unsafe `eval()`  usage on user-supplied ARRAY parameters happens in `convertToValue` method in [CommandSender.vue](https://github.com/OpenC3/cosmos/blob/main/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-cmdsender/src/tools/CommandSender/CommandSender.vue)\n\n### PoC\n1.\tUsing a drop-down form, choose any command that supports ARRAY parameters,\n2.\tInside square brackets “[…]” place a JavaScript code to be executed\n3.\tSend command to CmdTlmServer using dedicated “Send” button \n4.\tObserve JavaScript code being executed in the current browser session context\n\nBelow example uses `INST ARYCMD` to execute simple JavaScript code snippet `alert(“XSS”)`.\n\u003cimg width=\"947\" height=\"356\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6fbdb6c9-616a-4268-bbb8-a8a1044437ad\" /\u003e\n\n\u003cimg width=\"942\" height=\"545\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4df24353-aea0-4aa0-adcf-b7c7e387dc83\" /\u003e\n\n### Impact\nLocal JavaScript execution in the user's browser","aliases":["CVE-2026-42086","PYSEC-2026-105"],"modified":"2026-05-29T22:00:13.405819944Z","published":"2026-04-22T22:22:28Z","database_specific":{"github_reviewed_at":"2026-04-22T22:22:28Z","severity":"MODERATE","github_reviewed":true,"nvd_published_at":"2026-05-04T18:16:30Z","cwe_ids":["CWE-79"]},"references":[{"type":"WEB","url":"https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42086"},{"type":"PACKAGE","url":"https://github.com/OpenC3/cosmos"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/openc3/PYSEC-2026-105.yaml"},{"type":"WEB","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/openc3/CVE-2026-42086.yml"}],"affected":[{"package":{"name":"openc3","ecosystem":"RubyGems","purl":"pkg:gem/openc3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.0.0"}]}],"versions":["5.0.10","5.0.11","5.0.6","5.0.7","5.0.8","5.0.9","5.1.0","5.1.1","5.10.0","5.10.1","5.11.0","5.11.1","5.11.2","5.11.3","5.12.0","5.13.0","5.14.0","5.14.1","5.14.2","5.15.0","5.15.1","5.15.2","5.16.0","5.16.1","5.16.2","5.17.0","5.17.1","5.18.0","5.19.0","5.2.0","5.20.0","5.3.0","5.4.0","5.4.1","5.4.2","5.4.3.pre.beta0","5.5.0","5.5.0.pre.beta0","5.5.1","5.5.2","5.5.2.pre.beta0","5.6.0","5.6.1","5.7.0","5.7.2","5.8.0","5.8.1","5.9.0","5.9.1","6.0.0","6.0.1","6.0.2","6.1.0","6.10.0","6.10.1","6.10.2","6.10.3","6.10.4","6.10.5","6.10.6","6.2.0","6.2.1","6.3.0","6.4.0","6.4.1","6.4.2","6.5.0","6.5.1","6.6.0","6.7.0","6.8.0","6.8.1","6.9.0","6.9.1","6.9.2","7.0.0.pre.rc1","7.0.0.pre.rc2","7.0.0.pre.rc3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-ffq5-qpvf-xq7x/GHSA-ffq5-qpvf-xq7x.json"}},{"package":{"name":"openc3","ecosystem":"PyPI","purl":"pkg:pypi/openc3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.0.0"}]}],"versions":["0.1.0","5.10.0","5.10.1","5.11.0","5.11.1","5.11.2","5.11.3","5.12.0","5.13.0","5.14.0","5.14.1","5.14.2","5.15.0","5.15.1","5.15.2","5.16.0","5.16.1","5.16.2","5.17.0","5.17.1","5.18.0","5.19.0","5.20.0","5.9.2b0","6.0.0","6.0.1","6.0.2","6.1.0","6.10.0","6.10.1","6.10.2","6.10.3","6.10.4","6.10.5","6.10.6","6.2.0","6.2.1","6.3.0","6.4.0","6.4.1","6.4.2","6.5.0","6.5.1","6.6.0","6.7.0","6.8.0","6.8.1","6.9.0","6.9.1","6.9.2","7.0.0rc2","7.0.0rc3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-ffq5-qpvf-xq7x/GHSA-ffq5-qpvf-xq7x.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"}]}