Description
OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious content through the project request parameter in oscal-forms.php. The parameter value is URL-decoded and assigned to the project_id variable without sanitization in oscal-functions.php, and when the supplied project ID is not found, the unsanitized value is concatenated into an error message via the Messages() function and reflected into the HTML response body without encoding.
Published: 2026-06-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OSCAL‑GUI includes a reflected cross-site scripting vulnerability that allows attackers to inject malicious JavaScript via the project parameter in oscal-forms.php. The code assigns the URL‑decoded value to a variable without sanitization and, when the ID is not found, concatenates the unsanitized input into an error message that is reflected in the HTML response. This flaw can be leveraged to run arbitrary scripts in the context of the victim’s browser, potentially leaking session cookies, defacing the page, or executing further client‑side attacks.

Affected Systems

The affected product is OSCAL‑GUI from brian‑ruf. No explicit version information is supplied in the advisory, so all current releases of this application may be vulnerable until a fix is applied.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting a malicious link containing a crafted project parameter and convincing victims to load that URL, after which arbitrary JavaScript runs in the victim’s browser.

Generated by OpenCVE AI on June 9, 2026 at 23:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest OSCAL‑GUI release that includes input sanitization for the project_id parameter
  • Implement proper output encoding for any user‑supplied data reflected in error messages
  • Restrict access to oscal‑forms.php or validate the project parameter against expected formats before processing

Generated by OpenCVE AI on June 9, 2026 at 23:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Brian-ruf
Brian-ruf oscal-gui
Vendors & Products Brian-ruf
Brian-ruf oscal-gui

Tue, 09 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious content through the project request parameter in oscal-forms.php. The parameter value is URL-decoded and assigned to the project_id variable without sanitization in oscal-functions.php, and when the supplied project ID is not found, the unsanitized value is concatenated into an error message via the Messages() function and reflected into the HTML response body without encoding.
Title OSCAL-GUI Reflected XSS via project parameter in oscal-forms.php
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Brian-ruf Oscal-gui
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T14:24:03.277Z

Reserved: 2026-03-27T15:24:06.752Z

Link: CVE-2026-34417

cve-icon Vulnrichment

Updated: 2026-06-10T14:23:58.292Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T22:16:22.620

Modified: 2026-06-10T19:41:25.327

Link: CVE-2026-34417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:22:00Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')