CVE-2026-42086

MEDIUM4.6EPSS 0.04%

OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender

Published: 5/4/2026Modified: 5/29/2026
Also known as:GHSA-ffq5-qpvf-xq7xPYSEC-2026-105

Description

### Summary The Command Sender UI uses an unsafe `eval()` function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage. ### Details The unsafe `eval()` usage on user-supplied ARRAY parameters happens in `convertToValue` method in [CommandSender.vue](https://github.com/OpenC3/cosmos/blob/main/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-cmdsender/src/tools/CommandSender/CommandSender.vue) ### PoC 1. Using a drop-down form, choose any command that supports ARRAY parameters, 2. Inside square brackets “[…]” place a JavaScript code to be executed 3. Send command to CmdTlmServer using dedicated “Send” button 4. Observe JavaScript code being executed in the current browser session context Below example uses `INST ARYCMD` to execute simple JavaScript code snippet `alert(“XSS”)`. <img width="947" height="356" alt="image" src="https://github.com/user-attachments/assets/6fbdb6c9-616a-4268-bbb8-a8a1044437ad" /> <img width="942" height="545" alt="image" src="https://github.com/user-attachments/assets/4df24353-aea0-4aa0-adcf-b7c7e387dc83" /> ### Impact Local JavaScript execution in the user's browser

Affected packages (3)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1MEDIUM4.6CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

References (5)