GHSA-ffq5-qpvf-xq7x: Self-Cross-Site Scripting via Unsafe eval() in OpenC3 COSMOS Command Sender
Vulnerability ID: GHSA-FFQ5-QPVF-XQ7X
CVSS Score: 5.4
Published: 2026-04-22
OpenC3 COSMOS versions prior to 7.0.0 contain a vulnerability in the Command Sender UI where array-like command parameters are processed using the unsafe eval() function. This design flaw permits the execution of arbitrary JavaScript within the user's browser context.
TL;DR
Unsafe use of eval() in the OpenC3 COSMOS Command Sender interface allows for Self-XSS via crafted array-like parameters. The issue is remediated in version 7.0.0.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS Score: 5.4
- Impact: Moderate (Self-XSS)
- Exploit Status: Proof of Concept
- CISA KEV Status: Not Listed
Affected Systems
- OpenC3 COSMOS Command Sender UI
-
OpenC3 COSMOS: < 7.0.0 (Fixed in:
7.0.0)
Mitigation Strategies
- Upgrade OpenC3 COSMOS to version 7.0.0 or later.
- Avoid pasting untrusted strings or scripts into the Command Sender UI.
- Review shared or imported command configurations for malicious payloads prior to use.
- Implement WAF rules to detect unusual JavaScript payloads in API interactions.
Remediation Steps:
- Identify the current version of OpenC3 COSMOS deployed in the environment.
- If the version is prior to 7.0.0, schedule a maintenance window for the upgrade.
- Deploy OpenC3 COSMOS version 7.0.0 or later following the official release documentation.
- Verify the update by testing array parameter inputs in the Command Sender UI to ensure
eval()execution no longer occurs.
References
- GitHub Advisory Database: GHSA-ffq5-qpvf-xq7x
- OpenC3 COSMOS Release Notes v7.0.0
- SecAlerts Vulnerability Analysis
Read the full report for GHSA-FFQ5-QPVF-XQ7X on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)