Description
OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious content through the project request parameter in oscal-forms.php. The parameter value is URL-decoded and assigned to the project_id variable without sanitization in oscal-functions.php, and when the supplied project ID is not found, the unsanitized value is concatenated into an error message via the Messages() function and reflected into the HTML response body without encoding.
Published: 2026-06-09
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OSCAL‑GUI includes a reflected cross-site scripting vulnerability that allows attackers to inject malicious JavaScript via the project parameter in oscal-forms.php. The code assigns the URL‑decoded value to a variable without sanitization and, when the ID is not found, concatenates the unsanitized input into an error message that is reflected in the HTML response. This flaw can be leveraged to run arbitrary scripts in the context of the victim’s browser, potentially leaking session cookies, defacing the page, or executing further client‑side attacks.

Affected Systems

The affected product is OSCAL‑GUI from brian‑ruf. No explicit version information is supplied in the advisory, so all current releases of this application may be vulnerable until a fix is applied.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting a malicious link containing a crafted project parameter and convincing victims to load that URL, after which arbitrary JavaScript runs in the victim’s browser.

Generated by OpenCVE AI on June 9, 2026 at 23:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest OSCAL‑GUI release that includes input sanitization for the project_id parameter
  • Implement proper output encoding for any user‑supplied data reflected in error messages
  • Restrict access to oscal‑forms.php or validate the project parameter against expected formats before processing

Generated by OpenCVE AI on June 9, 2026 at 23:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious content through the project request parameter in oscal-forms.php. The parameter value is URL-decoded and assigned to the project_id variable without sanitization in oscal-functions.php, and when the supplied project ID is not found, the unsanitized value is concatenated into an error message via the Messages() function and reflected into the HTML response body without encoding.
Title OSCAL-GUI Reflected XSS via project parameter in oscal-forms.php
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-09T21:02:40.964Z

Reserved: 2026-03-27T15:24:06.752Z

Link: CVE-2026-34417

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T22:16:22.620

Modified: 2026-06-09T22:16:22.620

Link: CVE-2026-34417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:15:16Z

Weaknesses