Description
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage. This issue has been patched in version 7.0.0.
Published: 2026-05-04
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenC3 COSMOS used a JavaScript eval() function on array‑like command parameters. This allows a malicious payload supplied through those parameters to be executed in the browser when the command is sent. The resulting self‑XSS vulnerability means an attacker can run arbitrary code within the authenticated session and can read or alter data, including session tokens stored in local storage.

Affected Systems

The affected product is OpenC3 COSMOS. All releases prior to 7.0.0 are vulnerable. The vulnerability is fixed in version 7.0.0 and later.

Risk and Exploitability

The CVSS score of 4.6 indicates low‑to‑moderate severity. Exploitation requires the attacker to influence the array‑parameter input, typically via phishing or social engineering, and the victim must submit a command. No EPSS score is available, and the issue is not in the CISA KEV catalog. While the impact is confined to the victim’s session, successful exploitation can compromise authenticated data and session integrity, making the risk significant for environments where this interface is exposed to untrusted users.

Generated by OpenCVE AI on May 4, 2026 at 18:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch to achieve version 7.0.0 or later
  • Restrict access to the Command Sender UI to trusted users or internal networks to reduce phishing opportunities
  • Sanitize any user‑supplied array parameters and remove eval usage in custom deployments as a temporary mitigation

Generated by OpenCVE AI on May 4, 2026 at 18:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Openc3
Openc3 cosmos
Vendors & Products Openc3
Openc3 cosmos

Mon, 04 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage. This issue has been patched in version 7.0.0.
Title OpenC3 COSMOS: Self-XSS in the Command Sender
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Openc3 Cosmos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T19:47:16.828Z

Reserved: 2026-04-23T19:17:30.566Z

Link: CVE-2026-42086

cve-icon Vulnrichment

Updated: 2026-05-04T19:46:13.907Z

cve-icon NVD

Status : Received

Published: 2026-05-04T18:16:30.667

Modified: 2026-05-04T20:16:19.843

Link: CVE-2026-42086

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:00:07Z

Weaknesses