Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (vulncheck) · only source for this CVE.
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious input through the project request parameter. Attackers can craft a malicious URL containing unsanitized input that breaks out of the JavaScript string and HTML attribute context in the body onload event handler to execute arbitrary scripts when the link is visited by a victim.
AnalysisAI
Reflected cross-site scripting in OSCAL-GUI allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL containing a malicious payload in the project request parameter. The injected input breaks out of both JavaScript string and HTML attribute context within the body onload event handler, granting attacker-controlled script execution in the victim's session. No active exploitation is confirmed (not in CISA KEV), but a public GitHub gist documenting the issue exists, suggesting POC-level detail is openly accessible.
Technical ContextAI
OSCAL-GUI is a web-based graphical interface for working with OSCAL (Open Security Controls Assessment Language) data. The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation - Reflected XSS), where user-supplied input from the project GET/POST parameter is dynamically reflected into the page response without adequate output encoding or sanitization. Critically, the injection point resides inside a JavaScript string literal and HTML attribute within the body's onload event handler, meaning the attacker must break out of two nested contexts (JS string escape then HTML attribute boundary) to achieve script execution. No CPE strings were included in the provided intelligence, so exact affected versions cannot be confirmed from available data. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A) confirms network-reachable, low-complexity exploitation requiring active victim interaction.
RemediationAI
No vendor-released patch has been identified at time of analysis. Immediate compensating controls should focus on the server side: the project parameter must be output-encoded before being reflected into HTML and JavaScript contexts - HTML-encoding alone is insufficient given the dual-context escape; both HTML entity encoding and JavaScript string escaping are required at the injection point. Deploying a strict Content Security Policy (CSP) header with script-src 'self' and without unsafe-inline would neutralize injected inline scripts as a defense-in-depth measure, though it may break existing functionality that relies on inline scripts and requires testing before deployment. If OSCAL-GUI is only used internally, restricting access to trusted network segments or requiring VPN/authentication at the network layer eliminates the unauthenticated remote attack surface entirely. Monitor the VulnCheck advisory at https://www.vulncheck.com/advisories/oscal-gui-reflected-xss-via-project-parameter-in-oscal-php for patch availability updates.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35840
GHSA-6cgq-85j5-m2j8