Description
osctrl is an osquery management solution. Prior to version 0.5.0, a stored cross-site scripting (XSS) vulnerability exists in the `osctrl-admin` on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the query parameter when running an on-demand query. The payload is stored and executes in the browser of any user (including administrators) who visits the query list page. This can be chained with CSRF token extraction to escalate privileges and take actions as the logged in user. An attacker with query-level permissions (the lowest privilege tier) can execute arbitrary JavaScript in the browsers of all users who view the query list. Depending on their level of access, it can lead to full platform compromise if an administrator executes the payload. The issue is fixed in osctrl `v0.5.0`. As a workaround, restrict query-level permissions to trusted users, monitor query list for suspicious payloads, and/or review osctrl user accounts for unauthorized administrators.
Published: 2026-02-26
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the osctrl‑admin on‑demand query list, where a user with query‑level permissions can inject arbitrary JavaScript into the query parameter when running an on‑demand query. The injected payload is persisted and later executed in the browsers of any user who visits the query list page, including administrators. By chaining the script with CSRF token extraction, an attacker can elevate privileges and perform actions as the logged‑in user, potentially leading to full platform compromise if an administrator runs the payload.

Affected Systems

jmpsec osctrl versions earlier than 0.5.0 are affected; only systems running the vulnerable version of osctrl and hosting the osctrl‑admin interface are at risk.

Risk and Exploitability

With a CVSS score of 6.1 the flaw is classified as medium severity. The EPSS score of fewer than 1% indicates a very low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers must possess query‑level permissions, which is the lowest privilege tier, to inject the malicious code; once injected, the script can affect all users who view the query list page.

Generated by OpenCVE AI on April 16, 2026 at 15:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade osctrl to version 0.5.0 or later
  • Restrict query‑level permissions to trusted users
  • Monitor the on‑demand query list for suspicious payloads
  • Review osctrl user accounts to ensure no unauthorized administrators exist

Generated by OpenCVE AI on April 16, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4rv8-5cmm-2r22 osctrl has Stored Cross-Site Scripting (XSS) in On-Demand Query List
History

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 28 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jmpsec:osctrl:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Jmpsec
Jmpsec osctrl
Vendors & Products Jmpsec
Jmpsec osctrl

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description osctrl is an osquery management solution. Prior to version 0.5.0, a stored cross-site scripting (XSS) vulnerability exists in the `osctrl-admin` on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the query parameter when running an on-demand query. The payload is stored and executes in the browser of any user (including administrators) who visits the query list page. This can be chained with CSRF token extraction to escalate privileges and take actions as the logged in user. An attacker with query-level permissions (the lowest privilege tier) can execute arbitrary JavaScript in the browsers of all users who view the query list. Depending on their level of access, it can lead to full platform compromise if an administrator executes the payload. The issue is fixed in osctrl `v0.5.0`. As a workaround, restrict query-level permissions to trusted users, monitor query list for suspicious payloads, and/or review osctrl user accounts for unauthorized administrators.
Title `osctrl-admin` has Stored Cross-Site Scripting (XSS) in On-Demand Query List
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Jmpsec Osctrl
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T20:42:03.824Z

Reserved: 2026-02-26T01:52:58.734Z

Link: CVE-2026-28280

cve-icon Vulnrichment

Updated: 2026-03-02T20:41:58.869Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T23:16:37.740

Modified: 2026-02-28T01:14:46.000

Link: CVE-2026-28280

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')