GHSA-4RV8-5CMM-2R22

Vulnerability from github – Published: 2026-02-28 02:07 – Updated: 2026-02-28 02:07
VLAI?
Summary
osctrl has Stored Cross-Site Scripting (XSS) in On-Demand Query List
Details

Summary

A stored Cross-site Scripting (XSS) vulnerability exists in the osctrl-admin on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the query parameter when running an on-demand query. The payload is stored and executes in the browser of any user (including administrators) who visits the query list page. This can be chained with CSRF token extraction to escalate privileges and take actions as the logged in user.

Impact

An attacker with query-level permissions (the lowest privilege tier) can execute arbitrary JavaScript in the browsers of all users who view the query list. Depending on their level of access, it can lead to full platform compromise if an administrator executes the payload.

Patches

Fixed in osctrl v0.5.0. Users should upgrade immediately.

Workarounds

Restrict query-level permissions to trusted users. Monitor query list for suspicious payloads. Review osctrl user accounts for unauthorized administrators.

References

  • https://github.com/jmpsec/osctrl/pull/778
  • https://cwe.mitre.org/data/definitions/79.html

Credits

Leon Johnson and Kwangyun Keum from TikTok USDS JV Offensive Security Operations (Offensive Privacy Team)

https://github.com/Kwangyun → @Kwangyun

https://github.com/sho-luv → @sho-luv

Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/jmpsec/osctrl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-28T02:07:15Z",
    "nvd_published_at": "2026-02-26T23:16:37Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA stored Cross-site Scripting (XSS) vulnerability exists in the `osctrl-admin` on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the query parameter when running an on-demand query. The payload is stored and executes in the browser of any user (including administrators) who visits the query list page. This can be chained with CSRF token extraction to escalate privileges and take actions as the logged in user.\n\n### Impact\nAn attacker with query-level permissions (the lowest privilege tier) can execute arbitrary JavaScript in the browsers of all users who view the query list. Depending on their level of access, it can lead to full platform compromise if an administrator executes the payload.\n\n### Patches\nFixed in osctrl `v0.5.0`. Users should upgrade immediately.\n\n### Workarounds\nRestrict query-level permissions to trusted users. Monitor query list for suspicious payloads. Review osctrl user accounts for unauthorized administrators.\n\n### References\n- https://github.com/jmpsec/osctrl/pull/778\n- https://cwe.mitre.org/data/definitions/79.html\n\n### Credits\n\nLeon Johnson and Kwangyun Keum from TikTok USDS JV Offensive Security Operations (Offensive Privacy Team) \n\nhttps://github.com/Kwangyun \u2192 @Kwangyun\n\nhttps://github.com/sho-luv \u2192 @sho-luv",
  "id": "GHSA-4rv8-5cmm-2r22",
  "modified": "2026-02-28T02:07:15Z",
  "published": "2026-02-28T02:07:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jmpsec/osctrl/security/advisories/GHSA-4rv8-5cmm-2r22"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28280"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jmpsec/osctrl/pull/778"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jmpsec/osctrl"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "osctrl has Stored Cross-Site Scripting (XSS) in On-Demand Query List"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.