Skip to main content

OSCAL-GUI EUVDEUVD-2026-35840

| CVE-2026-34416 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 disclosure@vulncheck.com GHSA-6cgq-85j5-m2j8
5.1
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (vulncheck) · only source for this CVE.

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 21:42 vuln.today

DescriptionCVE.org

OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious input through the project request parameter. Attackers can craft a malicious URL containing unsanitized input that breaks out of the JavaScript string and HTML attribute context in the body onload event handler to execute arbitrary scripts when the link is visited by a victim.

AnalysisAI

Reflected cross-site scripting in OSCAL-GUI allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL containing a malicious payload in the project request parameter. The injected input breaks out of both JavaScript string and HTML attribute context within the body onload event handler, granting attacker-controlled script execution in the victim's session. No active exploitation is confirmed (not in CISA KEV), but a public GitHub gist documenting the issue exists, suggesting POC-level detail is openly accessible.

Technical ContextAI

OSCAL-GUI is a web-based graphical interface for working with OSCAL (Open Security Controls Assessment Language) data. The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation - Reflected XSS), where user-supplied input from the project GET/POST parameter is dynamically reflected into the page response without adequate output encoding or sanitization. Critically, the injection point resides inside a JavaScript string literal and HTML attribute within the body's onload event handler, meaning the attacker must break out of two nested contexts (JS string escape then HTML attribute boundary) to achieve script execution. No CPE strings were included in the provided intelligence, so exact affected versions cannot be confirmed from available data. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A) confirms network-reachable, low-complexity exploitation requiring active victim interaction.

RemediationAI

No vendor-released patch has been identified at time of analysis. Immediate compensating controls should focus on the server side: the project parameter must be output-encoded before being reflected into HTML and JavaScript contexts - HTML-encoding alone is insufficient given the dual-context escape; both HTML entity encoding and JavaScript string escaping are required at the injection point. Deploying a strict Content Security Policy (CSP) header with script-src 'self' and without unsafe-inline would neutralize injected inline scripts as a defense-in-depth measure, though it may break existing functionality that relies on inline scripts and requires testing before deployment. If OSCAL-GUI is only used internally, restricting access to trusted network segments or requiring VPN/authentication at the network layer eliminates the unauthenticated remote attack surface entirely. Monitor the VulnCheck advisory at https://www.vulncheck.com/advisories/oscal-gui-reflected-xss-via-project-parameter-in-oscal-php for patch availability updates.

Share

EUVD-2026-35840 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy