{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28279", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-26T01:52:58.734Z", "datePublished": "2026-02-26T22:59:29.972Z", "dateUpdated": "2026-02-27T17:33:49.803Z"}, "containers": {"cna": {"title": "`osctrl-admin` Vulnerable to OS Command Injection via Environment Configuration", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/jmpsec/osctrl/security/advisories/GHSA-rchw-322g-f7rm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jmpsec/osctrl/security/advisories/GHSA-rchw-322g-f7rm"}, {"name": "https://github.com/jmpsec/osctrl/pull/777", "tags": ["x_refsource_MISC"], "url": "https://github.com/jmpsec/osctrl/pull/777"}, {"name": "https://github.com/jmpsec/osctrl/pull/780", "tags": ["x_refsource_MISC"], "url": "https://github.com/jmpsec/osctrl/pull/780"}], "affected": [{"vendor": "jmpsec", "product": "osctrl", "versions": [{"version": "< 0.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T22:59:29.972Z"}, "descriptions": [{"lang": "en", "value": "osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands are embedded into enrollment one-liner scripts generated using Go's `text/template` package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment. An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise. This is fixed in osctrl `v0.5.0`. As a workaround, restrict osctrl administrator access to trusted personnel, review existing environment configurations for suspicious hostnames, and/or monitor enrollment scripts for unexpected commands."}], "source": {"advisory": "GHSA-rchw-322g-f7rm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T17:33:31.500697Z", "id": "CVE-2026-28279", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:33:49.803Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28279", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-27T17:33:31.500697Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:33:42.499Z"}}], "cna": {"title": "`osctrl-admin` Vulnerable to OS Command Injection via Environment Configuration", "source": {"advisory": "GHSA-rchw-322g-f7rm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "jmpsec", "product": "osctrl", "versions": [{"status": "affected", "version": "< 0.5.0"}]}], "references": [{"url": "https://github.com/jmpsec/osctrl/security/advisories/GHSA-rchw-322g-f7rm", "name": "https://github.com/jmpsec/osctrl/security/advisories/GHSA-rchw-322g-f7rm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jmpsec/osctrl/pull/777", "name": "https://github.com/jmpsec/osctrl/pull/777", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/jmpsec/osctrl/pull/780", "name": "https://github.com/jmpsec/osctrl/pull/780", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands are embedded into enrollment one-liner scripts generated using Go's `text/template` package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment. An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise. This is fixed in osctrl `v0.5.0`. As a workaround, restrict osctrl administrator access to trusted personnel, review existing environment configurations for suspicious hostnames, and/or monitor enrollment scripts for unexpected commands."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T22:59:29.972Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28279", "state": "PUBLISHED", "dateUpdated": "2026-02-27T17:33:49.803Z", "dateReserved": "2026-02-26T01:52:58.734Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T22:59:29.972Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands are embedded into enrollment one-liner scripts generated using Go's `text/template` package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment. An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise. This is fixed in osctrl `v0.5.0`. As a workaround, restrict osctrl administrator access to trusted personnel, review existing environment configurations for suspicious hostnames, and/or monitor enrollment scripts for unexpected commands."}, {"lang": "es", "value": "osctrl es una soluci\u00f3n de gesti\u00f3n de osquery. Antes de la versi\u00f3n 0.5.0, existe una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en la configuraci\u00f3n del entorno de `osctrl-admin`. Un administrador autenticado puede inyectar comandos de shell arbitrarios a trav\u00e9s del par\u00e1metro de nombre de host al crear o editar entornos. Estos comandos se incrustan en scripts de una sola l\u00ednea de inscripci\u00f3n generados usando el paquete `text/template` de Go (que no realiza el escape de shell) y se ejecutan en cada punto final que se inscribe usando el entorno comprometido. Un atacante con acceso de administrador puede lograr la ejecuci\u00f3n remota de c\u00f3digo en cada punto final que se inscribe usando el entorno comprometido. Los comandos se ejecutan como root/SYSTEM (el nivel de privilegio utilizado para la inscripci\u00f3n de osquery) antes de que se instale osquery, sin dejar rastro de auditor\u00eda a nivel de agente. Esto permite la instalaci\u00f3n de puertas traseras, la exfiltraci\u00f3n de credenciales y el compromiso total del punto final. Esto se corrige en osctrl `v0.5.0`. Como soluci\u00f3n alternativa, restrinja el acceso de administrador de osctrl a personal de confianza, revise las configuraciones de entorno existentes en busca de nombres de host sospechosos y/o monitoree los scripts de inscripci\u00f3n en busca de comandos inesperados."}], "id": "CVE-2026-28279", "lastModified": "2026-02-27T14:06:37.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T23:16:37.567", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/jmpsec/osctrl/pull/777"}, {"source": "security-advisories@github.com", "url": "https://github.com/jmpsec/osctrl/pull/780"}, {"source": "security-advisories@github.com", "url": "https://github.com/jmpsec/osctrl/security/advisories/GHSA-rchw-322g-f7rm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.5.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "osctrl", "source": "cna", "vendor": "jmpsec"}, "product": "osctrl", "vendor": "jmpsec"}], "created": "2026-02-27T09:03:43.343574+00:00", "updated": "2026-02-27T09:03:43.343644+00:00", "vendors": ["jmpsec", "jmpsec$PRODUCT$osctrl"]}